{"version":"1.1","schema_version":"1.1.0","plugin_version":"1.1.2","url":"https://tutos-gameserver.fr/2019/05/02/tutoriel-sur-la-configuration-du-serveur-web-linux-et-du-domaine-bien-choisir-son-serveur-d-impression/","llm_html_url":"https://tutos-gameserver.fr/2019/05/02/tutoriel-sur-la-configuration-du-serveur-web-linux-et-du-domaine-bien-choisir-son-serveur-d-impression/llm","llm_json_url":"https://tutos-gameserver.fr/2019/05/02/tutoriel-sur-la-configuration-du-serveur-web-linux-et-du-domaine-bien-choisir-son-serveur-d-impression/llm.json","manifest_url":"https://tutos-gameserver.fr/llm-endpoints-manifest.json","language":"fr-FR","locale":"fr_FR","title":"Tutoriel sur la configuration du serveur Web Linux et du domaine\n\n – Bien choisir son serveur d impression","site":{"name":"Tutos GameServer","url":"https://tutos-gameserver.fr/"},"author":{"id":1,"name":"Titanfall","url":"https://tutos-gameserver.fr/author/titanfall/"},"published_at":"2019-05-02T16:06:34+00:00","modified_at":"2019-05-02T16:06:34+00:00","word_count":15256,"reading_time_seconds":4577,"summary":"Prérequis du site Web: Ce tutoriel suppose que Linux est installé et fonctionne sur un ordinateur. Voir Installation de RedHat pour les bases. Une connexion à Internet est également supposée. Une connexion de 128 Mbits / s ou plus donnera les meilleurs résultats. ISDN, DSL, modem câble ou mieux sont tous appropriés. Un modem 56k […]","summary_points":["Prérequis du site Web:\n\nCe tutoriel suppose que Linux est installé et fonctionne sur un ordinateur.","Voir Installation de RedHat\npour les bases.","Une connexion à Internet est également supposée.","Une connexion de 128 Mbits / s ou plus donnera les meilleurs résultats."],"topics":["Serveur d'impression"],"entities":[],"entities_metadata":[{"id":10,"name":"Serveur d'impression","slug":"serveur-dimpression","taxonomy":"category","count":3907,"url":"https://tutos-gameserver.fr/category/serveur-dimpression/"}],"tags":["Serveur d'impression"],"content_hash":"13db03faef7e8c610c2a134f029a6040","plain_text":"Prérequis du site Web:\n\nCe tutoriel suppose que Linux est installé et fonctionne sur un ordinateur.\nVoir Installation de RedHat\npour les bases. Une connexion à Internet est également supposée.\nUne connexion de 128 Mbits / s ou plus donnera les meilleurs résultats.\nISDN, DSL, modem câble ou mieux sont tous appropriés.\nUn modem 56k fonctionnera mais les résultats seront au mieux médiocres.\nLes tâches doivent également être effectuées avec le nom d'utilisateur et le mot de passe de l'utilisateur root.\n\nAucune distribution ne semble avoir un avantage. Une distribution Ubuntu, SuSe, Fedora, Red Hat ou CentOS inclura tous les logiciels dont vous aurez besoin pour configurer un serveur Web.\nSi vous utilisez Red Hat Enterprise Linux, l'édition Workstation ou Server répondra à vos besoins, à l'exception du fait que l'édition Workstation n'inclura pas le package vsFTP. Il devra être compilé à partir de la source ou utiliser sftp.\n\n\nPrérequis logiciels: Le serveur Web Apache (httpd),\nFTP (nécessite xinetd ou inetd)\net Bind (nommé)\nles progiciels avec leurs dépendances sont tous nécessaires.\nOn peut utiliser le rpm commande pour vérifier l'installation:\n\n\nFedora Core 1+, Red Hat Enterprise 4/5, CentOS 4/5:\n\n rpm -q httpd bind bind-chroot bind-utils system-config-bind xinetd vsftpd\n \n RPM ajoutés FC2 +: system-config-httpd\n RPM ajoutés FC3 +: httpd-suexec\n\nChapeau rouge 9.0\n rpm -q httpd lier xinetd vsftpd\nUn RPM wu-ftpd Red Hat 8.0 peut être installé (version plus récente, version 2.6.2 ou ultérieure, avec correctif de sécurité). wu-ftpd-2.6.2-11) ou installer à partir de la source (rev 14).\n\nRed Hat 8.0\n rpm -q httpd lie xinetd wu-ftpd\n\nRed Hat 7.x:\n rpm -q apache bind inetd wu-ftpd\nUtilisez wu-ftpd version 2.6.2 ou ultérieure pour éviter les problèmes de sécurité.\n\nSuSE 9.3:\n rpm -ivh apache2 apache2-prefork lier lier-chrootenv lier-utils vsftpd\nRemarque: apache2-MPM est un terme générique désignant les options d'installation d'Apache.\npour "Modules de traitement multiple (MPM)", "prefork" ou "worker". Si vous essayez\net installez uniquement apache2, vous obtiendrez l’erreur suivante:\n apache2-MPM est nécessaire pour apache2-2.0.53-9\nVoir aussi Apache.org: MPMs\n\nUbuntu (natty 11.04 / 14.04) / Debian:\n\n apt-get install apache2\n   apt-get install bind9\n   apt-get install vsftpd \n\nUbuntu (dapper 6.06 / hardy 8.04) / Debian:\n\n apt-get install apache2 apache2 commun apache2-mpm-prefork apache2-utils\n   apt-get install bind9\n   apt-get install vsftpd \n\n\nVous devez également avoir une connaissance pratique du processus init Linux afin que ces services soient lancés au démarrage du système.\nConsultez le tutoriel sur le processus d'initialisation YoLinux pour plus d'informations.\n\n\nConfiguration du serveur Web HTTP Apache:\n\nLe fichier de configuration du serveur Web Apache est: /etc/httpd/conf/httpd.conf\n\nLes pages Web sont servies à partir de l'annuaire tel que configuré par le\n DocumentRoot directif. L'emplacement du répertoire par défaut est:\n\n\n\n\nDistribution Linux\nServeur Web Apache "DocumentRoot"\n\n\n\n\nRed Hat 7.x-9, Fedora Core, Red Hat Enterprise 4/5/6, CentOS 4/5/6\n / var / www / html /\n\n\nRed Hat 6.x et plus\n / home / httpd / html /\n\n\nSuse 9.x\n / srv / www / htdocs /\n\n\nUbuntu (dapper 6.06) / Debian\n / var / www / html\n\n\nUbuntu (hardy 8.04 / natty 11.04 / fidèle 14.04) / Debian\n / var / www\n\n\n\nLa page d'accueil par défaut pour la configuration par défaut est index.html.\nNotez que les pages ne doivent pas appartenir à l'utilisateur apache comme c'est le\npropriétaire du processus du démon du serveur Web httpd. Si le processus du serveur Web est\ncompromis, il ne devrait pas être autorisé à modifier les fichiers. Les fichiers\ndevrait bien sûr être lisible par l'utilisateur apache.\n\nApache peut être configuré pour s'exécuter de cette manière en tant qu'hôte pour un site Web.\nou il peut être configuré pour servir pour plusieurs domaines. Servir pour plusieurs\nLes domaines peuvent être atteints de deux manières:\n\n\nHôtes virtuels: Une adresse IP mais plusieurs domaines – Hébergement virtuel "basé sur le nom".\n\nPlusieurs hôtes virtuels basés sur IP: Une adresse IP pour chaque domaine – Hébergement virtuel "basé sur IP".\n\n\nLa configuration par défaut permettra à l'un d'avoir plusieurs comptes d'utilisateurs\nsous un domaine en utilisant une référence au compte d'utilisateur:\n http: // www.domain.com/ ~ utilisateur1 /.\nSi aucun domaine n'est enregistré ou configuré, l'adresse IP peut également être utilisée:\n http: //XXX.XXX.XXX.XXX/ ~ utilisateur1 /.\n\n[Potential Pitfall] \nLe umask par défaut pour la création de répertoire est correct par défaut mais s'il ne l'est pas, utilisez:\n chmod 755 / home /utilisateur1/ public_html\n\n\n[Potential Pitfall] Lors de la création de "Annuaire"\ndirectives de configuration,\nJ'ai trouvé que les placer par l'existant "Annuaire"directives\nêtre une mauvaise idée.\nIl n'utiliserait pas le .htaccess fichier. C'était parce que la déclaration\ndéfinir l'utilisation de la .htaccess le fichier était après la\n"Annuaire"déclaration. Précédemment dans RH 6.x\nles fichiers ont été séparés et l'ordre a été défini un peu différent.\nJe place maintenant de nouveaux "Annuaire"déclarations vers la fin du fichier juste\navant le "VirtualHost"déclarations.\n\nPour les utilisateurs de Red Hat 7.1, l'outil de configuration de l'interface graphique apacheconf\na été introduit pour la foule qui aime utiliser de jolis outils de pointer et cliquer.\n\nFichiers utilisés par Apache:\n\n\nScript de démarrage / arrêt / redémarrage:\n\nRed Hat / Fedora / CentOS: /etc/rc.d/init.d/httpd\n \nSuSE 9.3: /etc/init.d/apache2\n \nUbuntu (dapper 6.06 / hardy 8.04 / natty 11.04 / trusty 14.04) / Debian: /etc/init.d/apache2\n \n\n\nFichier de configuration principal Apache:\n\nRed Hat / Fedora / CentOS: /etc/httpd/conf/httpd.conf\n \nSuSE: /etc/apache2/httpd.conf\n (Nécessité d'ajouter une directive: Nom du serveur nom d'hôte)\n \nUbuntu (dapper 6.06 / hardy 8.04 / natty 11.04 / trusty 14.04) / Debian: /etc/apache2/apache2.conf\n \n\n\nFichiers de configuration supplémentaires Apache:\n\nRed Hat / Fedora / CentOS: /etc/httpd/conf.d/composant.conf\n \nSuSE: /etc/apache2/conf.d/composant.conf\n \nUbuntu (dapper 6.06 / hardy 8.04 / natty 11.04 / trusty 14.04) / Debian:\n\nDomaines virtuels: / etc / apache2 / sites-enabled /domaine\n (Créer un lien symbolique à partir de / etc / apache2 / sites-enabled /domaine à / etc / apache2 / sites-available /domaine pour allumer. Utiliser la commande a2ensite)\n \nDirectives de configuration supplémentaires: /etc/apache2/conf.d/\n \nModules à charger: / etc / apache2 / mods-available /\n (Lien symbolique vers / etc / apache2 / mods-enabled / pour allumer)\n \nPorts à écouter: /etc/apache2/ports.conf\n \n\n\n\n\n/ var / log / httpd / access_log et error_log –\n    Fichiers journaux Apache Red Hat / Fedora Core\n (Suse: / var / log / apache2 /)\n\n\n\nDémarrer / Arrêter / Redémarrer les scripts:\nLe script doit être exécuté avec les qualificatifs début, Arrêtez,\n redémarrer ou statut.\n c'est à dire.\n /etc/rc.d/init.d/httpd restart. Un redémarrage permet au serveur Web\npour redémarrer et lire les fichiers de configuration pour prendre en compte les modifications.\nPour que ce script soit appelé au démarrage du système, lancez la commande\n chkconfig --add httpd.\nVoir le tutoriel sur le processus Linux Init pour\nune discussion plus complète.\n\nAussi outil de contrôle Apache: / usr / sbin / apachectl start\n\n\nApache Control Command: apachectl:\n\nRed Hat / Fedora Core / CentOS: apachectl directif\n\nUbuntu dapper 6.06 / hardy 8.04 / natty 11.04 / trusty 14.04 / Debian: apachectl (lien logiciel vers apache2ctl) ou apache2ctl directif\n\n\n\nDirectif\nLa description\n\n\n\n\ndébut\nDémarrez le démon Apache httpd. Donne une erreur s'il est déjà en cours d'exécution.\n\n\nArrêtez\nArrête le démon Apache httpd.\n\n\ngracieux\nRedémarre gracieusement le démon Apache httpd. Si la\nle démon n'est pas en cours d'exécution, il est démarré. Cela diffère d'une normale\nredémarrer en ce que les connexions actuellement ouvertes ne sont pas abandonnées.\n\n\ngracieux-stop\nArrête gracieusement le démon Apache httpd. Cela diffère d'une normale\nredémarrer en ce que les connexions actuellement ouvertes ne sont pas abandonnées.\n\n\nredémarrer\nRedémarre le démon httpd Apache. Si le démon est\nne marche pas, c'est commencé. Cette commande vérifie automatiquement la\nfichiers de configuration comme dans configtest avant de lancer le redémarrage\nassurez-vous que le démon ne meurt pas.\n\n\nstatut\nAffiche un bref rapport de statut.\n\n\nstatut complet\nAffiche un rapport d'état complet de\nétat_modal. Requiert l'activation de mod_status sur votre serveur et une base de données textuelle\nnavigateur tel que Lynx disponible sur votre système. L'URL utilisée pour accéder\nle rapport d'état peut être défini en modifiant la variable STATUSURL dans le\nscénario.\n\n\nconfigtest-t\nExécutez un test de syntaxe du fichier de configuration.\n\n\n\nOutil de contrôle Apache: apachectl – page de manuel\n\n\nFichiers de configuration Apache:\n\n\n/etc/httpd/conf/httpd.conf: est utilisé pour configurer Apache.\nDans le passé, il était divisé en trois fichiers. Ceux-ci peuvent maintenant être tous\nconcaténés dans un fichier.\nVoir la documentation en ligne Apache\npour le manuel complet.\n\n/etc/httpd/conf.d/application.conf: Tous les fichiers de configuration\n    dans ce répertoire sont inclus lors du démarrage d’Apache. Utilisé pour stocker des configurations spécifiques à une application.\n\n/ etc / sysconfig / httpd: Contient les variables d'environnement utilisées lors du démarrage d'Apache.\n\n\n\nParamètres de base: Changer la valeur par défaut pour NomServeur www. <votre-domaine.com>\n\n\nAutoriser Apache à accéder au système de fichiers: Il est prudent de limiter Apache\nvue du système de fichiers uniquement aux répertoires nécessaires. Ceci est fait avec\nla déclaration de répertoire.\nCommencez par refuser l'accès à tout, puis accordez l'accès aux ressources nécessaires.\ndes répertoires.\n\nRefuser complètement l'accès à la racine du système de fichiers ("/") par défaut:\n\nCommencez par refuser, puis accordez les autorisations:\n\n\n\n \n \n \n Options Aucune\n   AllowOverride None\n\n\n\nDéfinissez l'emplacement par défaut des pages Web du système et autorisez l'accès: (Red Hat / Fedora / CentOS)\n\n\n\n\n\nDocumentRoot "/ var / www / html"\n\n\n Index des options FollowSymLinks\n   AllowOverride None\n   Ordre permettre, refuser\n   Autoriser de tous\n   Exiger tout accordé - Ceci est requis pour Apache 2.4+\n\n\n\nNote: la directive "Exiger tout accordé"est nouveau depuis Apache httpd 2.4.3.\n\nLe comportement hérité peut être obtenu avec la commande: sudo a2enmod access_compat\nAccorder l'accès au répertoire Web d'un utilisateur: public_html\n\nActivation de Red Hat / Fedora Linux, Apache public_html accès au répertoire utilisateur:\nCela permettra aux utilisateurs de servir le contenu de leurs répertoires personnels dans le sous-répertoire "/maison/identifiant d'utilisateur/ public_html /"en accédant à l'URL http: //nom d'hôte/ ~ userid /\n\n\n\nFichier: /etc/httpd/conf/httpd.conf\n\n\n\n\nLoadModule userdir_module modules / mod_userdir.so\n\n...\n...\n\n\n #UserDir disable - Ajoute un commentaire à cette ligne\n #\n    # Pour permettre aux requêtes à / ~ utilisateur / de servir le public_html de l'utilisateur\n    # répertoire, supprimez la ligne "UserDir disable" ci-dessus et supprimez le commentaire\n    # la ligne suivante à la place:\n UserDir public_html # Décommenter cette ligne\n\n\n\n\n\n\n\n\n...\n...\n\n\n AllowOverride FileInfo AuthConfig Limit\n    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec\n \n Ordre permettre, refuser\n        Autoriser de tous\n \n \n \n \n \n Ordre nier, permettre\n        Refuser à tous\n \n\n\nPasser à un commentaire (ajouter "#" au début de la ligne) à partir de Fedora Core par défaut UserDir désactiver et assigner le répertoire public_html en tant que répertoire accessible du serveur Web.\n OU\n Attribuez à un seul utilisateur la possibilité spécifique de partager son répertoire:\n\n\n\n \n \n \n Les index des options incluent FollowSymLinks\n   AllowOverride None\n   ordre autoriser, refuser\n   permettre à tous\n   Exiger tout accordé - Ceci est requis pour Apache 2.4+\n\n\n\nPermet à l'utilisateur spécifique, "utilisateur1"seulement, la possibilité de servir le répertoire /maison/utilisateur1/ public_html /\nUtilisez également la commande SELinux pour définir le contexte de sécurité: setsebool httpd_enable_homedirs true\n\n\nAutorisations de répertoire: Le démon du serveur Web Apache doit pouvoir lire votre site Web.\npages afin d’alimenter leur contenu sur le réseau. Utilisez un approprié\numask et protection de fichiers. Autoriser l'accès au répertoire Web: chmod ugo + rx -R public_html.\n Notez que le répertoire de l'utilisateur doit également avoir les autorisations appropriées car il est le parent de public_html.\n Autorisations par défaut sur le répertoire de l'utilisateur: ls -l / home\n drwx ------ 20 utilisateur1 utilisateur1 4096 5 mars 12:16 utilisateur1\n Autorisez l’accès au serveur Web à exploiter le répertoire parent: chmod ugo + x / home / user1\n d-wx - x - x 20 utilisateur1 utilisateur1 4096 5 mars 12:16 utilisateur1\n\nOn peut également utiliser des groupes pour contrôler les autorisations.\nVoir le tutoriel YoLinux sur la gestion des groupes.\n\n\n\n\nActiver Apache d'Ubuntu public_html accès au répertoire utilisateur:\nUbuntu a découpé les directives du module chargeable Apache dans le répertoire\n/ etc / apache2 / mods-available /.\nPour activer un module Apache, générez des liens symboliques vers le répertoire / etc / apache2 / sites-enabled / en utilisant les commandes a2enmod/a2dismod activer / désactiver les modules Apache.\n\nExemple: \n\n[root@node2]# a2enmod\n Une liste des modules disponibles est affichée. Entrez "userdir" comme module à activer.\n\nRedémarrez Apache avec la commande suivante: /etc/init.d/apache2 force-reload\n\n\nRemarque: Cela revient à générer manuellement les deux liens symboliques suivants:\n\n\nln -s /etc/apache2/mods-available/userdir.conf /etc/apache2/mods-enabled/userdir.conf\n\nln -s /etc/apache2/mods-available/userdir.load /etc/apache2/mods-enabled/userdir.load\n\n\nPage de manuel: a2enmod / a2dismod\n\n[Potential Pitfall]: Si le serveur Web Apache ne peut pas accéder au fichier, vous obtiendrez le message d'erreur "403 interdit" "Vous n'avez pas la permission d'accéder nom de fichier sur ce serveur. "\nNotez que les autorisations par défaut sur un répertoire utilisateur lors de sa création avec "useradd" sont les suivantes:\n\n drwx ------ 3 userx userx\nVous devez autoriser le serveur Web exécuté en tant qu'utilisateur "apache" à accéder au répertoire s'il doit afficher les pages qu'il contient.\n\nCorrection avec la commande: chmod ugo + rx / home / userx\n\n drwxr-xr-x 3 userx userx\n\n\n\nOrdre de fonctionnement du fichier de configuration:\nLes directives de configuration sont affectées dans l'ordre dans lequel elles sont lues.\nCeci est important sinon un comportement inattendu peut en résulter.\n\nLes fichiers de configuration Red Hat / CentOS / Fedora / AWS sont lus dans l'ordre suivant:\n\n\n/etc/httpd/conf/httpd.conf\n lit les fichiers d'inclusion "Inclure conf.modules.d / *. Conf" et "IncludeOptional conf.d / *. Conf"\n\n/etc/httpd/conf.modules/*.conf\n\n/etc/httpd/conf.d/*.conf (généralement des définitions de domaine virtuel pour divers sites Web)\n Les fichiers de configuration sont lus dans l'ordre alphabétique.\n\n\nLes fichiers de configuration Ubuntu / Debian sont lus dans l'ordre suivant:\n\n\n/etc/apache2/apache2.conf\n lit les fichiers d'inclusion\n\n/etc/apache2/mods-enabled/*.load\n\n/etc/apache2/mods-enabled/*.conf\n\n/etc/apache2/conf-enabled/*.conf\n\n/etc/apache2/sites-enabled/*.conf (généralement des définitions de domaine virtuel pour divers sites Web)\n Les fichiers de configuration sont lus dans l'ordre alphabétique.\n\n\nLa valeur par défaut du serveur pour l'accès à l'aide de l'adresse IP est généralement le premier domaine défini dans "conf.d / *. conf"tel que défini par l'ordre alphabétique.\nC'est également ce que voient les pirates sur le site lors de l'analyse du réseau via des adresses IP.\nC'est souvent une malédiction d'avoir un domaine commençant par la lettre "a" car des serveurs mal configurés dirigeront tout le trafic des hackers vers ce site.\nPar conséquent, il est recommandé de générer une configuration par défaut pour l’accès aux adresses IP.\n\nFichier: /etc/httpd/conf.d/1st.conf (Ubuntu: /etc/apache2/sites-enabled/1st.conf)\n\nDirectoryIndex index.html\n\n NomServeur www4.defaultdomain.com\n    DocumentRoot / srv / www / default / html\n    ErrorLog /var/log/httpd/1st-error.log\n    TransferLog /var/log/httpd/1st-access.log\n \n Options FollowSymLinks\n        AllowOverride None\n \n \n \n \n \n Options FollowSymLinks MultiViews Inclut\n        IndexOptions SuppressLastModified SuppressDescription\n        AllowOverride All\n        Ordre permettre, refuser\n        permettre à tous\n \n\n\nPage Web par défaut: /srv/www/default/html/index.html devrait être une simple page statique sans accès à la base de données ou au CMS.\nAprès tout, les seuls qui se retrouvent ici sont les pirates.\nContextes de sécurité SELinux:\nFedora Core 3 et Red Hat Enterprise Linux 4 ont introduit les règles de sécurité et les étiquettes de contexte SELinux (Security Enhanced Linux).\n \nPour afficher les étiquettes de contexte de sécurité appliquées à vos fichiers de page Web, utilisez la commande\ncommander: ls -Z\nLe système active / désactive les politiques SELinux dans le fichier. / etc / selinux / config\n SELinux peut être désactivé en définissant la directive SELINUX. (Ensuite, redémarrez le système):\n\n\n\n\n\nSELINUX = désactivé\n\nou en utilisant la commande setenforce 0 désactiver temporairement SELinux jusqu'au prochain redémarrage.\n\nLorsque vous utilisez les fonctions de sécurité de SELinux,\nles étiquettes de contexte de sécurité doivent être ajoutées pour qu'Apache puisse lire vos fichiers.\nL'étiquette de contexte de sécurité par défaut utilisée est héritée du répertoire des fichiers nouvellement créés. Donc une copie (cp) doit être utilisé et non un mouvement (mv)\nlors du placement de fichiers dans le répertoire de contenu. Déplacer ne crée pas un nouveau\nfichier et donc le fichier ne reçoit pas le contexte de sécurité du répertoire\nétiquette.\nLes étiquettes de contexte utilisées pour les répertoires Apache par défaut peuvent être\nvu\navec la commande: ls -Z / var / www\n Les répertoires Web des utilisateurs (c'est-à-dire public_html) devrait\nêtre défini avec l'étiquette de contexte appropriée (httpd_sys_content_t).\n \nAttribuez un contexte de sécurité pour les pages Web: chcon -R -h -t httpd_sys_content_t / home /utilisateur1/ public_html\n Options:\n\n\n-R: récursif. Fichiers et répertoires du répertoire en cours et de tous les sous-répertoires.\n\n-h: affecte les liens symboliques.\n\n-t: spécifie le type de contexte de sécurité.\n\n\nUtilisez les contextes de sécurité suivants:\n\n\n\n\nType de contexte\nLa description\n\n\n\n\nhttpd_sys_content_t\nUtilisé pour le contenu Web statique. c'est-à-dire des pages Web HTML.\n\n\nhttpd_sys_script_exec_t\nUtiliser pour les scripts CGI exécutables ou les exécutables binaires.\n\n\nhttpd_sys_script_rw_t\nCGI est autorisé à modifier / supprimer des fichiers de ce contexte.\n\n\nhttpd_sys_script_ra_t\nCGI est autorisé à lire ou à annexer des fichiers de ce contexte.\n\n\nhttpd_sys_script_ro_t\nCGI est autorisé à lire les fichiers et les répertoires de ce contexte.\n\n\n\nDéfinissez les options suivantes: setsebool httpd-option vrai\n (ou réglé sur faux)\n\n\n\n\nPolitique\nLa description\n\n\n\n\nhttpd_enable_cgi \nAutoriser le support de httpd cgi.\n\n\nhttpd_enable_homedirs \nAutoriser httpd à lire les répertoires personnels.\n\n\nhttpd_ssi_exec \nAutorisez httpd à exécuter les exécutables SSI dans le même domaine que les scripts CGI du système.\n\n\n\nPuis redémarrez Apache: \n\nRed Hat / Fedora / Suse et tous les systèmes Linux basés sur un script d'initialisation System V: /etc/init.d/httpd restart\n\nRed Hat / Fedora: service httpd restart\n\n\nLes valeurs booléennes SE par défaut sont spécifiées dans le fichier: / etc / selinux / target / booleans\n\nPour plus d’informations sur SELinux, reportez-vous au tutoriel sur l’administration de systèmes YoLinux.\n\nHôtes Virtuels:\nLe serveur Web Apache permet de configurer un seul ordinateur pour représenter plusieurs sites Web comme s'ils se trouvaient sur des hôtes distincts.\nDeux méthodes sont disponibles et nous décrivons la configuration de chacune. Choisissez une méthode pour votre domaine:\n\nNom d'hôte virtuel: (le plus commun)\n    Un seul ordinateur avec une seule adresse IP prenant en charge plusieurs domaines Web.\n    Le navigateur Web utilisant le protocole http identifie le domaine en cours d’adresse.\n\nHôte virtuel basé sur IP:\n    Les hôtes virtuels peuvent être configurés comme un seul ordinateur multi-hébergé avec plusieurs adresses IP sur une seule carte réseau, chaque adresse IP représentant un domaine Web différent.\n    Cela a l'apparence d'un domaine Web pris en charge par un ordinateur dédié car il possède une adresse IP dédiée.\n\n\nConfiguration d'un hôte virtuel "basé sur le nom":\nUne configuration d'hôte virtuel permet d'héberger plusieurs domaines de site Web sur un serveur.\n(Cela n'est pas nécessaire pour un serveur Linux dédié hébergeant un seul site Web.)\n\nNameVirtualHost XXX.XXX.XXX.XXX\n\n\n\n\n\n\n\n<VirtualHost XXX.XXX.XXX.XXX>Nom du serveur www.votre-domaine.com - CNAME (alias DNS www) spécifié dans (/ var / named / ...)\n ServerAlias votre-domaine.com - Autorise les requêtes sans le préfixe "www".\n ServerAdmin utilisateur1@votre-domaine.com\n \n \n \n DocumentRoot / home /utilisateur1/ public_htmlLogs ErrorLog /votre-domaine.com-error_log\n   Journaux TransferLog /votre-domaine.com-access_log\n\n\nRemarques:\n\nVous pouvez spécifier plusieurs adresses IP. c'est à dire si web\nserveur est également utilisé comme pare-feu / passerelle et vous avez un\nadresse IP Internet externe ainsi qu’une adresse IP de réseau local.\n\nNameVirtualHost XXX.XXX.XXX.XXX\n\n\n\nNameVirtualHost 192.168.XXX.XXX\n\n\n\n\n\n\n\n<VirtualHost XXX.XXX.XXX.XXX 192.168.XXX.XXX>\n   ...\n   ..\n\nReportez-vous au didacticiel YoLinux pour configurer un routeur / pare-feu réseau avec iptables et NAT.\n\nUtilisez votre adresse IP pour XXX.XXX.XXX.XXX, nom de domaine et adresse e-mail actuels.\n On peut utiliser les vues DNS pour fournir différents résultats DNS du réseau local.\n\nL'adresse IP de l'hôte peut être référencée de manière générique pour fonctionner sur toutes les cartes réseau:\n\n<VirtualHost *: 80>\n   ...\n   ..\n\nRemarque Cette méthode est recommandée pour les hébergements basés sur NAT, tels qu'Amazon Web Services (AWS) EC2.\n\nNotez que je configure Apache pour les deux demandes http: // www.nom de domaine.com et http: //nom de domaine.com.\n\nUne fois les hôtes virtuels configurés, votre système par défaut\n    domaine (/ var / www / html) cessera de fonctionner.\n    Votre domaine par défaut doit maintenant être configuré en tant que domaine virtuel.\n\n\n\n \n\n \n\n \n\n ... Cette partie reste la même\n \n \n \n ..\n\n\n\n# Valeur par défaut lorsque aucun nom de domaine n’est donné (accès par adresse IP, par exemple)\n\n<VirtualHost *: 80>\n   ServerAdmin utilisateur1@votre-domaine.com\n \n \n \n DocumentRoot / var / www / html\n   ErrorLog logs / error_log\n   TransferLog logs / access_log\n\n\n# Ajoutez une définition VirtualHost pour votre domaine qui était autrefois la valeur par défaut du système.\n\n<VirtualHost XXX.XXX.XXX.XXX>Nom du serveur www.votre-domaine.com\n \n \n \n ServerAlias votre-domaine.com\n \n \n \n ServerAdmin utilisateur1@votre-domaine.com\n \n \n \n DocumentRoot / var / www / html\n   ErrorLog logs / error_log\n   TransferLog logs / access_log\n\n\n ...\n   ..\n \n\nTransfert vers une URL primaire. Il est préférable d'éviter l'apparition de contenu Web dupliqué à partir de deux URL telles que http: // www.ton domaine.com et\n http: //ton domaine.com. Fournissez une "redirection" Apache de redirection.\n\n<VirtualHost XXX.XXX.XXX.XXX>\n   Nom du serveur www.votre-domaine.com - Notez qu'aucun alias n'est répertorié\n \n \n \n ...\n   ...\n\n\n# Ajouter une définition VirtualHost à transférer à votre URL principale\n\n<VirtualHost XXX.XXX.XXX.XXX>\n   Nom du serveur votre-domaine.com\n \n \n \n ServerAlias autre-domaine.com\n \n \n \n ServerAlias ​​www.autre-domaine.com\n \n \n \n Rediriger permanent / http: // www.votre-domaine.com.com /\n\n\n ...\n   ..\n \nRemarque: \n\nPlus d'exemples d'hôte virtuel.\n\n\nLorsqu’ils spécifient plus de domaines, ils peuvent tous utiliser la même adresse IP ou certains / tous\npeuvent utiliser leur propre adresse IP unique.\nSpécifiez un "NameVirtualHost" pour chaque adresse IP.\n\nUne fois les fichiers de configuration Apache modifiés, redémarrez le démon httpd:\n /etc/rc.d/init.d/httpd restart (Chapeau rouge) ou /etc/init.d/apache2 restart (Ubuntu / Debian)\n\nConfiguration du domaine virtuel Apache avec Ubuntu:\nUbuntu sépare chaque domaine virtuel dans un fichier de configuration séparé\ntenue dans l'annuaire / etc / apache2 / sites-available /.\nLorsque le domaine du site doit devenir actif, un lien symbolique est créé vers le répertoire. / etc / apache2 / sites-enabled /.\nExemple: / etc / apache2 / sites-available / supercorp\n\n\n\n \n \n \n NomServeur supercorp.com\n        ServerAlias ​​www.supercorp.com\n        Webmaster ServerAdmin @ localhost\n\n        DocumentRoot / home / supercorp / public_html / home\n \n Options FollowSymLinks\n                AllowOverride None\n \n \n \n \n \n Options Index FollowSymLinks MultiViews\n                IndexOptions SuppressLastModified SuppressDescription\n                AllowOverride All\n                Ordre permettre, refuser\n                permettre à tous\n                Exiger tout accordé - Ceci est requis pour Apache 2.4+\n \n\n ScriptAlias ​​/ cgi-bin / / home / supercorp / cgi-bin /\n \n AllowOverride None\n                Options + ExecCGI -MultiViews + SymLinksIfOwnerMatch\n                Ordre permettre, refuser\n                Autoriser de tous\n \n\n ErrorLog /var/log/apache2/supercorp.com-error.log\n\n        # Les valeurs possibles incluent: debug, info, notice, avertir, erreur,\n        # crit, alerte, émergent.\n        LogLevel avertir\n        CustomLog /var/log/apache2/supercorp.com-access.log combinés\n        ServerSignature On\n\n\n\nActiver le domaine:\n\nCréer un lien symbolique:\n\nManuellement: ln -s / etc / apache2 / sites-disponibles / supercorp / etc / apache2 / sites-enabled / supercorp\n \nUtiliser les scripts Ubuntu a2ensite/a2dissite. Tapez commande et il vous demandera quel site vous souhaitez activer ou désactiver.\n \n\n\nRedémarrez Apache:\n\napachectl gracieux\n ou\n \n/etc/init.d/apache2 restart\n ou\n \n/etc/init.d/apache2 reload\n \n\n\n\nNotez également que les modules Apache peuvent également être activés / désactivés avec des scripts a2enmod / a2dismod.\n\nPages de manuel:\n\nConfiguration d'un hôte virtuel "basé sur IP":\nOn peut attribuer plusieurs adresses IP à une seule interface réseau.\nVoir le tutoriel de mise en réseau YoLinux: Aliasing de réseau.\nChaque adresse IP peut alors être son propre serveur virtuel et son propre domaine.\nL’inconvénient de la méthode d’hôte virtuel "basée sur IP" est que vous devez posséder\nadresses IP multiples / supplémentaires. Cela coûte généralement plus cher.\nLa méthode d'hébergement virtuel basée sur le nom standard ci-dessus est plus populaire pour cette raison.\n\n \n \n \n \nNameVirtualHost * - Indique toutes les adresses IP\n\n\n\n\n\n\n\n<VirtualHost *>\n   ServerAdmin utilisateur0@default-domain.com\n \n \n \n DocumentRoot / home /utilisateur0/ public_html\n\n\n<VirtualHost XXX.XXX.XXX.101>\n   ServerAdmin utilisateur1@domain-1.com\n \n \n \n DocumentRoot / home /utilisateur1/ public_html\n\n\n<VirtualHost XXX.XXX.XXX.102>\n   ServerAdmin utilisateur1@domain-2.com\n \n \n \n DocumentRoot / home /utilisateur2/ public_html\n\n\nLe défaut bloc sera utilisé par défaut\npour toutes les adresses IP non spécifiées explicitement.\nCette adresse IP par défaut (*) peut ne pas fonctionner pour https URL.\nCGI: (interface de passerelle commune)\nCGI est un programme exécutable qui génère dynamiquement une page Web en écrivant\nà stdout. CGI est autorisé par l'une des deux directives de fichier de configuration suivantes:\nLes fichiers de programme exécutables doivent avoir les privilèges d’exécution, exécutables par le\npropriétaire du processus (Red Hat 7 + / Fedora Core: apache.\nUtilisation plus ancienne personne) sous lequel le démon httpd est exécuté.\nConfiguration de CGI pour une exécution avec des privilèges utilisateur:\nLa fonctionnalité suEXEC offre aux utilisateurs Apache la possibilité d’exécuter CGI et SSI.\nprogrammes sous des identifiants d'utilisateur différents de ceux de l'appelant\nserveur Web. Normalement, lorsqu'un programme CGI ou SSI s'exécute, il s'exécute en tant que\nle même utilisateur qui exécute le serveur Web.\n\nNameVirtualHost XXX.XXX.XXX.XXX\n\n\n\n\n\n\n\n<VirtualHost XXX.XXX.XXX.XXX>\n   Nom du serveur noeud1.votre-domaine.com - Permet les demandes par nom de domaine sans le préfixe "www".\n ServerAlias votre-domaine.com www.votre-domaine.com - CNAME (alias www) spécifié dans le fichier de configuration Bind (/ var / named / ...)\n ServerAdmin utilisateur1@votre-domaine.com\n \n \n \n DocumentRoot / home /utilisateur1/ public_html /votre-domaine.com\n \n \n \n Logs ErrorLog /votre-domaine.com-error_log\n   Journaux TransferLog /votre-domaine.com-access_log\n\n   SuexecUserGroup utilisateur1 utilisateur1\n \n \n \n <Répertoire / home /utilisateur1/ public_html /votre-domaine.com/>\n      Options + ExecCGI + Index\n      AddHandler cgi-script .cgi\n \n\n\nPages d'erreur:\nVous pouvez spécifier vos propres pages Web au lieu des pages d'erreur Apache par défaut:\n\nErrorDocument 404 /Error404-missing.html\nCréer le fichier Error404-missing.html dans votre répertoire "DocumentRoot".\n\nTraitez toutes les erreurs avec une page de transfert:\n\n\n\n\n\nErrorDocument 400 /error.shtml\nErrorDocument 401 /error.shtml\nErrorDocument 403 /error.shtml\nErrorDocument 404 /error.shtml\nErrorDocument 500 /error.shtml\n\nExemple de fichier error.shtml (dans votre répertoire "DocumentRoot").\n\n\n\nPage non trouvée!\n\n\n\nPHP:\nSi les RPM appropriés php, perl et httpd sont installés,\nla configuration et les modules Red Hat Apache par défaut prend en charge PHP\ncontenu.\nPaquets RPM (RHEL):\n\n\nphp: langage de script HTML\n\nphp-pear: PEAR est un framework et un système de distribution de composants PHP réutilisables.\n\nphp-mysql: support de la base de données MySQL.\n\nphp-ldap: support du protocole LDAP (Lightweight Directory Access Protocol)\n\n\nConfiguration Apache:\n\nAjoutez php default page index.php au fichier de configuration apache: /etc/httpd/conf/httpd.conf\n\n\n\n\n...\n\nDirectoryIndex index.html index.htm index.php\n\n...\n\nFichier de configuration PHP:\n\nAWS – PHP 5.6: /etc/php-5.6.d/php.ini\nRHEL4 – PHP 4.3: /etc/php.ini\nUbuntu 18.04: /etc/php/7.2/apache2/php.ini\nUbuntu 6.06 / 6.11: /etc/php5/apache2/php.ini\n\n\n[PHP]\n\n\n\nmoteur = allumé\n...\n...\ndisplay_errors = Off\ninclude_path = ".: / php / includes"\n...\n...\nmemory_limit = 32M; La valeur par défaut est généralement de 8 Mo, ce qui est trop faible.\n...\n...\n\n[MySQL]\n...\n...\nmysql.default_host = super-serveur ; Nom d'hôte de l'ordinateur\nmysql.default_user = Dbuser\n\n\n\n...\n\nPetite partie du fichier montré.\n\nNotez que les modifications ne prendront effet qu'après le redémarrage du démon de serveur Web Apache.\n\nTestez vos capacités PHP avec ce fichier de test: /maison/utilisateur1/public_html/test.php\n\n\n\n\n\n<? phpphpinfo ();?>\nOU (ancien format)\n\n\n\nTester: http: // localhost / ~utilisateur1/test.php\nPour plus d'informations, consultez la liste des sites Web d'informations PHP de YoLinux.\n\nExécuter plusieurs instances de httpd:\nLe démon du serveur Web Apache (httpd) peut être démarré avec la commande\noption de ligne "-f" pour spécifier un fichier de configuration unique pour chaque instance.\nConfigurez une adresse IP unique pour chaque instance d'Apache.\nReportez-vous au didacticiel de mise en réseau YoLinux pour spécifier plusieurs adresses IP pour une même carte réseau.\nUtilisez la directive du fichier de configuration Apache Écoute XXX.XXX.XXX.XXX, où l'adresse IP est unique pour chaque instance d'Apache.\n\nApache Man Pages:\n\nhttpd – Apache Hypertext Transfer Protocol Server\n\napachectl – Interface de contrôle du serveur HTTP Apache\n\nab – Outil d'analyse comparative de serveur HTTP Apache\n\nhtdigest – gère les fichiers utilisateur pour l'authentification Digest\n\nhtpasswd – Gère les fichiers utilisateur pour l'authentification de base\n\nlogresolve – Résoudre les adresses IP en noms d'hôte dans les fichiers journaux Apache\n\nrotatelogs – Programme de journalisation en pipeline pour faire pivoter les journaux Apache\n\n\nConsultez également le manuel de configuration Apache en ligne local: http: // localhost / manual /.\n\n\nConfiguration de l'interface graphique Apache Red Hat / Fedora Core:\nOutil de configuration de l'interface graphique:\n\n\nRed Hat EL 4/5, Fedora 2-10: / usr / bin / system-config-httpd\n\nRed Hat 8/9, Fedora Core 1: / usr / bin / redhat-config-httpd\n\n\n\n\n\nAjout de la connexion au site Web et de la protection par mot de passe: Consultez le didacticiel YoLinux sur la protection par mot de passe du site Web.\n\n\nAnalyse du fichier journal:\n\nL'analyse des fichiers de journal Web Apache ne fournira pas de statistiques significatives\nà moins qu’ils soient représentés graphiquement ou présentés de manière facile à lire. Le suivant\npaquets à un bon travail de présentation des statistiques du site.\n\nServices de statistiques de site Web:\n\n\nCharger en charge votre serveur:\n\n\nLiens Apache:\n\n\nCgiWrap – Le wrapper setuid qui permet aux utilisateurs d'installer et d'exécuter leurs propres scripts cgi exécutés sous leur propre ID utilisateur\n\nWWWThreads.org – Produit commercial – Logiciel avancé de téléconférence Web\n\nConfiguration de https (mod_ssl):\n \n\nAnalyse du fichier journal avec Analog:\n\nInstallation:\n\n\nRed Hat / Fedora: miam installer analogique\nUbuntu / Debian: apt-get install analog\n\nLes packages d'installation sont également disponibles sur la page de téléchargements analogiques.\nFichier de configuration: /etc/analog.cfg\n\n\n\n\nLOGFILE / var / log / httpd /votre-domaine.com-access_log * http: // www.votre-domaine.com\nUNCOMPRESS * .gz, *. Z "gzip -cd"\nSUBTYPE * .gz, *. Z\n#\nOUTFILE / home /utilisateur1/public_html/analog/Report.html\n#\nNOM D'HOTE "VotreDomaine.com"\nHOSTURL http: // www.votre-domaine.com\n\n....\n...\n..\n\nPages REQINCLUDE # Demander les statistiques de la page uniquement\n\n\n\nTOUT SUR\nLANGUE US-ANGLAIS\n\nVous pouvez afficher les paramètres utilisés avec votre fichier de configuration (également utiles pour le débogage): réglages analogiques\nRendre les images analogiques disponibles pour le rapport des utilisateurs: ln -s / usr / share / analogique / images / * / home /utilisateur1/ public_html / analogique\n\nEmplacement du fichier journal:\n\n\nRed Hat / Fedora: / var / log / httpd /\nUbuntu / Debian: / var / log / apache2 /\n\nLa directive "TOUT SUR"active tous les éléments suivants:\n\n\n\nDirective analogique\nLa description\n\n\n\n\nTous les mois \n une ligne par mois\n\n\nHEBDOMADAIRE SUR \n une ligne par semaine\n\n\nDAILYREP ON \n une ligne par jour\n\n\nDAILYSUM ON \n une ligne pour chaque jour de la semaine\n\n\nHOURLYREP ON \n une ligne pour chaque heure de la journée\n\n\nGENERAL ON \n le résumé général en haut\n\n\nDEMANDE SUR \n quels fichiers ont été demandés\n\n\nÉCHEC SUR \n quels fichiers n'ont pas été trouvés\n\n\nANNUAIRE SUR \n Rapport d'annuaire\n\n\nHÔTE SUR \n quels ordinateurs ont demandé des fichiers\n\n\nORGANISATION SUR \n de quelles organisations ils venaient\n\n\nDOMAINE SUR \n dans quels pays ils étaient\n\n\nREFERER SUR \n où les gens ont suivi les liens de\n\n\nFAILREF ON \n où les gens ont suivi des liens brisés de\n\n\nRECHERCHE SUR \n les phrases et les mots qu'ils ont utilisés …\n\n\nMOT DE RECHERCHE SUR \n … pour vous trouver parmi les moteurs de recherche\n\n\nNAVIGATEUR SUR \n quels types de navigateurs les gens utilisaient\n\n\nOSREP ON \n et quels systèmes d'exploitation\n\n\nFILETYPE ON \n types de fichiers demandés\n\n\nTAILLE SUR \n taille des fichiers demandés\n\n\nÉTAT SUR \n nombre de chaque type de succès et d'échec\n\n\n\nCron job pour gérer plusieurs domaines: /etc/cron.daily/analog\n\n\n\n\n#! / bin / sh\ncp /opt/etc/analog-domain1.com.cfg /etc/analog.cfg\n/ usr / bin / analogique\ncp /opt/etc/analog-domain2.com.cfg /etc/analog.cfg\n/ usr / bin / analogique\n\n...\n\nLiens:\n\nMesure des performances du serveur Web:\n\nVoir le didacticiel de référence du serveur Web YoLinux.com.\n\nConfiguration du compte utilisateur FTPd et FTP:\n\nDe nombreux programmes FTP existent. Cet exemple couvre le populaire\n      vsftpd (Red Hat default 9.0, Fedora Core, Suse) et\n      wu-ftpd (Washington\nUniversity) qui est livré en standard avec RedHat (le dernier livré avec\nRedHat 8.0 mais peut être installé sur n’importe quel système Linux).\n(RPM: wu-ftpd)\nIl existe d'autres programmes FTP, y compris proFtpd\n(prend en charge l’authentification LDAP, les directives de type Apache, les fonctionnalités complètes\nlogiciel serveur ftp),\n      bftpd, pure-ftpd (BSD libre et en option sur Suse), etc …\n\nPour les environnements hostiles, configurez un environnement chrooté pour sftp connexion cryptée et la rssh shell restreint pour OpenSSH.\nVoir le tutoriel sur la sécurité Internet de YoLinux.com pour Linux sftp et rssh configuration\n\nVoir aussi la configuration sftp chrootée préférée pour OpenSSH 4.9+\n\nFTPd et SELinux: pour autoriser l'accès au démon FTPd et l'accès FTP aux répertoires de base des utilisateurs:\n\nSuivre avec la commande service vsftpd redémarrer\nTutoriels de configuration FTPd:\n\nConfiguration du compte utilisateur vsFTPd et FTP:\n\nLe serveur ftp vsFTPd a été mis à disposition pour la première fois dans Red Hat 9.0. Il a également été adopté par Suse et OpenBSD.\nC'est actuellement le démon FTP recommandé pour une utilisation sur des serveurs FTP.\n\n\nActiver vsftpd:\n\n\nRed Hat / Fedora Core / CentOS:\nVsFTPd est un service autonome et par l’installation par défaut de Fedora Core,\nnon contrôlé par xinetd comme l’installation par défaut de wu-ftpd.\n Commencez donc le service: service vsftpd start (ou: /etc/init.d/vsftpd start)\n Configurez vsftpd pour qu'il démarre au démarrage du système: chkconfig --add vsftpd\n\nSuSE: Par défaut, vsftpd est un service contrôlé par xinetd. Autoriser\nServices de serveur FTP éditer le fichier /etc/xinetd.d/vsftpd et changer:\n désactiver = oui\n à:\n désactiver = non\n Redémarrez le démon xinetd: /etc/init.d/xinetd restart\n Remarque: vsftpd peut également être exécuté en tant que service autonome pour obtenir un résultat plus rapide.\nTemps de réponse.\n\nUbuntu (dapper / hardy / natty) / Debian:\n\nInstaller: apt-get install vsftpd\n \nVsFTPd est un service autonome.\n\nDébut: /etc/init.d/vsftpd start\n \nArrêtez: /etc/init.d/vsftpd stop\n \nRedémarrer: /etc/init.d/vsftpd restart\n (Utilisez cette commande après avoir modifié le fichier de configuration)\n \n\n\n\n\n\nPour plus d’informations sur le démarrage / l’arrêt / la configuration des services Linux, voir la\n      Tutoriel YoLinux sur le processus d'initialisation Linux et l'activation du service.\n\nFichiers de configuration:\n\nFichier de configuration vsFTPd:\n\nFedora Core / Red Hat: /etc/vsftpd/vsftpd.conf\n \nS.u.S.e. / Ubuntu (dapper / hardy / natty) / Debian: /etc/vsftpd.conf\n \n\nPar défaut pour Fedora Core 3:\n\nanonymous_enable = OUI - FTP anonyme autorisé par défaut si vous commentez ceci.\n                                  Répertoire par défaut utilisé: / var / ftp\n\n\n\n\n\n\n\nlocal_enable = YES - Un-comment this to allow local users to log in with FTP.\n Must also set SELinux boolean: setsebool -P ftp_home_dir 1\n\n\n\n\n\n\n\nwrite_enable=YES - Un-comment this to enable any form of FTP write or upload command.\n\n\n\n\n\n\n\nlocal_umask=022 - Default is 077. Umask 022 is used by most other ftpd's.\n\n\n\n\n\n\n\n#anon_upload_enable=YES - Un-comment to allow the anonymous FTP user to upload files. \n                                  Requires the above global write enabled. Directory must also be writable by user.\n\n\n\n#anon_mkdir_write_enable=YES - Un-comment this to allow the anonymous FTP user to be able to create new directories.\n\n\n\n\n\n\n\ndirmessage_enable=YES - Activate directory messages. \n                                  Messages given to remote users when they enter certain directories\n\n\n\nxferlog_enable=YES - Activate logging of uploads/downloads.\n\n\n\n\n\n\n\nconnect_from_port_20=YES - PORT transfer connections originate from port 20 (ftp-data)\n\n\n\n\n\n\n\n#chown_uploads=YES - Uploaded anonymous files set to a specified owner. (not root)\n\n\n\n#chown_username=quiconque\n\n#xferlog_file=/var/log/vsftpd.log - Specify logfile explicitly. Default is /var/log/vsftpd.log\n\n\n\n\n\n\n\nxferlog_std_format=YES - Output to log file in standard ftpd xferlog format\n\n\n\n\n\n\n\n#idle_session_timeout=600 - Set timing out for an idle session.\n\n\n\n\n\n\n\n#data_connection_timeout=120 - Set timing out for an idle data connection. Port 20\n\n\n\n\n\n\n\n#nopriv_user=ftpsecure - Run ftp server as an isolated and unprivileged user.\n\n\n\n\n\n\n\n# Enable this and the server will recognize asynchronous ABOR requests. ne pas\n# recommended for security (the code is non-trivial). Not enabling it, may confuse older FTP clients.\n#async_abor_enable=YES\n\n#ascii_upload_enable=YES - Improve performance by disabling ASCII mode. \n                                  Disables command "ascii" and "SIZE /big/file".\n\n\n\n#ascii_download_enable=YES\n\n#ftpd_banner=Welcome to YoLinux - Customize the login banner string.\n\n\n\n\n\n\n\n#deny_email_enable=YES - Disallow specified anonymous e-mail addresses. Used to combat certain DDoS attacks.\n\n\n\n#banned_email_file=/etc/vsftpd.banned_emails (Ubuntu default. Red Hat: /etc/vsftpd/banned_emails)\n\n\n\n\n\n\n\n#chroot_list_enable=YES - List users chroot()'d to their home directory. If "NO", list users not chroot()'d.\n\n\n\n#chroot_list_file=/etc/vsftpd.chroot_list (Ubuntu default. Red Hat: /etc/vsftpd/chroot_list)\n\n\n\n\n\n\n\nls_recurse_enable=YES - Allow "ls -R" recursive directory list. Default is disabled.\n\n\n\n\n\n\n\npam_service_name=vsftpd\n\nuserlist_enable=YES - (Ubuntu Default) Deny users specified in file /etc/vsftpd.user_list\n If "userlist_enable=NO" then allow specified users.\n Red Hat: /etc/vsftpd/user_list\n#deny_email_enable=YES - Disallow specified anonymous e-mail addresses. Used to combat certain DDoS attacks.\n\n\n\n\n\n\n\nlisten=YES - Enable for standalone mode as opposed to an xinetd service.\n Must set SELinux boolean: setsebool -P ftpd_is_daemon 1\n\n\n\ntcp_wrappers=YES\n \nRestart the FTP service if the config file is changed: service vsftpd restart (or: /etc/init.d/vsftpd restart) \n\n [Potential Pitfall]: vsftp does NOT support comments on the same line as a directive. i.e.:\n \n\n\n\n\ndirective=XXX # comment\n \n vsftp.conf man page\n \n\nSpecify list of local users chrooted to their home directories:\n\nRed Hat: /etc/vsftpd/vsftpd/chroot_list\nUbuntu: /etc/vsftpd/vsftpd.chroot_list\n\n(Requires: chroot_list_enable=NO)\n\n user1user2...user-n\n \nSi userlist_enable=YES, then specify users not to be chroot'd..\n\nSpecify list of users:\n\nRed Hat: /etc/vsftpd/user_list\nUbuntu: /etc/vsftpd.user_list\n\n(Deny list of users requires: userlist_enable=YES)\n Also see PAM configuration below.\nracinepoubelledémonadmlpsynchroniserfermerarrêt...\nSi userlist_enable=NO, then specify valid users.\n\nPAM configuration file Fedora Core 3: /etc/pam.d/vsftpd\n\n\n\n\n#%PAM-1.0\nauth required pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed\nauth required pam_stack.so service=system-auth\nauth required pam_shells.so\naccount required pam_stack.so service=system-auth\nsession required pam_stack.so service=system-auth\n \nThis causes PAM to check /etc/vsftpd.ftpusers for users who are denied.\nThis duplicates /etc/vsftpd.user_list. Speciy user in both files as PAM is independent of vsftpd configuration.\n    \n    PAM authentication configuration file: ftpusers\n\nRed Hat: /etc/vsftpd/ftpusers\nUbuntu: /etc/vsftpd.ftpusers\n\n\n\n\n\nracine\npoubelle\ndémon\nadm\nlp\nsynchroniser\nfermer\narrêt\n...\n...\n...\nuser6 - Users to deny\nuser8\n\n\n\n...\n...\n \n\nLogrotate configuration file: /etc/logrotate.d/vsftpd.log\n\n\n\n\n/var/log/xferlog \n    # ftpd doesn't handle SIGHUP properly\n    nocompress\n    missingok\n\n \n\n\n\nSample vsFTPd configurations:\n\n\nAnonymous download FTP server configuration: /etc/vsftpd/vsftpd.conf\n\n\n\n\n# Access rights\nanonymous_enable=YES - Turn on anonymous FTP\n\n\n\nchown_uploads=YES - Uploaded files owned by an assigned user\n\n\n\nchown_username=ftp - Uploaded files owned by this assigned user\n\n\n\nlocal_enable=NO\nwrite_enable=NO - No upload of files system changes allowed\n\n\n\nanon_upload_enable=NO\nanon_mkdir_write_enable=NO\nanon_other_write_enable=NO\n# Security\nanon_world_readable_only=YES\nconnect_from_port_20=YES\nforce_dot_files=NO\nguest_enable=NO\nhide_ids=YES\npasv_min_port=50000\npasv_max_port=60000\n# Features\nxferlog_enable=YES\nls_recurse_enable=NO\nascii_download_enable=NO\nasync_abor_enable=YES\n# Performance\none_process_model=NO\nidle_session_timeout=120\ndata_connection_timeout=300\naccept_timeout=60\nconnect_timeout=60\nmax_per_ip=4\nanon_max_rate=50000\n\npam_service_name=vsftpd\nuserlist_enable=YES\n#enable for standalone mode\nlisten=YES\ntcp_wrappers=YES\n\nAnonymous logins use the login name "anonymous" and then the user supplies their\nemail address as a password. Any password will be accepted.\nUsed to allow the public to download files from an ftp server.\nGenerally, no upload is permitted.\n\n\nWeb hosting configuration: /etc/vsftpd/vsftpd.conf\n\n\n\n\n# Access rights\nanonymous_enable=NO\nlocal_enable=YES - Allow users to ftp to their home directories\n\n\n\nwrite_enable=YES - Allow users to STOR, DELE, RNFR, RNTO, MKD, RMD, APPE and SITE\n\n\n\nlocal_umask=022\n# Security\nconnect_from_port_20=YES\nforce_dot_files=NO\nguest_enable=NO - Don't remap user name\n\n\n\nftpd_banner=Welcome to Super Duper Hosting - Customize the login banner string.\n\n\n\nchroot_local_user=YES - Limit user to browse their own directory only\n\n\n\nchroot_list_enable=YES - Enable list of system / power users\n\n\n\nchroot_list_file=/etc/vsftpd.chroot_list - Actual list of system / power users\n\n\n\nhide_ids=YES\npasv_min_port=50000\npasv_max_port=60000\n# Features\nxferlog_enable=YES\nls_recurse_enable=NO\nascii_download_enable=NO\nasync_abor_enable=YES\ndirmessage_enable=YES - Message greeting held in file .message or specify with message_file=...\n\n\n\n# Performance\none_process_model=NO\nidle_session_timeout=120\ndata_connection_timeout=300\naccept_timeout=60\nconnect_timeout=60\nmax_per_ip=4\n#\npam_service_name=vsftpd\nuserlist_enable=YES\n#enable for standalone mode\nlisten=YES\ntcp_wrappers=YES\n\nSpecify list of local users chrooted to their home directories: /etc/vsftpd/vsftpd.chroot_list\n Ubuntu typically: /etc/vsftpd.chroot_list\n (Requires: chroot_list_enable=NO)\n\nuser1user2...user-n\n\nSi userlist_enable=YES, then specify users not to be chroot'd..\n\n\n\n[Potential Pitfall]:\nMisspelling a directive will cause vsftpd to fail with little warning.\n\nFichier: .message\n\n\n\n\n\nA NOTE TO USERS UPLOADING FILES:\n   File names may consist of letters (a-z, A-Z), numbers (0-9),\n   an under score ("_"), dash ("-") or period (".") only.\n   The file name may not begin with a period or dash.\n\n\nTest if vsftp is listening: netstat -a | grep ftp\n\n[root]# netstat -a | grep ftptcp 0 0 *:ftp *:* LISTEN\nLinks:\nWU-FTPd and FTP user account configuration:\n\nThe wu-ftpd FTP server can be downloaded (binary or source) from\nhttp://wu-ftpd.therockgarden.ca/ (at one time: http://wu-ftpd.org).\n\nThere are three kinds of FTP logins that wu-ftpd provides:\n\n\nanonymous FTP – one logs in with the username 'anonymous'\n\nreal FTP – log in with a real username and password and\nhas access to the entire disk structure.\n\nguest FTP – one logs in with a real user name and\npassword, but the user is chroot'ed to his home directory and cannot\nescape from it.\nThey are constrained to their home directory which also means that they don't\nhave access to /bin/ls and other commands on the server.\nThus a local minimalist environment must be set up.\n\n\nThis tutorial covers "guest" FTP configuration.\n\nThe file /etc/ftpaccess controls the configuration of ftp.\n\n\n \n \n \n # Don't allow system accounts to log in over ftp\n   deny-uid %-99 %65534-\n   deny-gid %-99 %65534-\n\n   class all real,guest *\n   email webmaster@your-domain.com\n \n \n \n loginfails 5\n\n   readme README* login\n   readme README* cwd=*\n   message /welcome.msg login\n   message .message cwd=*\n\n   compress yes all\n   tar yes all\n   chmod no guest,anonymous\n   delete no anonymous # delete files permission?\n   overwrite no anonymous # overwrite files permission?\n   rename no anonymous # rename files permission?\n   delete yes guest # delete files permission?\n   overwrite yes guest # overwrite files permission?\n   rename yes guest # rename files permission?\n   umask no guest # umask permission?\n\n   log transfers anonymous,real inbound,outbound\n\n   shutdown /etc/shutmsg\n\n   passwd-check rfc822 warn\n\n   # Must also create message file /etc/pathmsg of the guest directory.\n   # In this case it refers to /home/user1/public_html/etc/pathmsg.\n   path-filter guest /etc/pathmsg ^[-A-Za-z0-9_.]*$ ^. ^-\n   limit all 2\n   noretrieve passwd .htaccess core - Do not allow users to download files of these names\n \n \n \n limit-time * 20\n   byte-limit in 5000 - Limit file size\n \n \n \n guestuser * - System user default categorized as a "guest". A "real" user can roam the system. Guestuser is chrooted.\n \n \n \n realgroup regularuserx regularusery - Assign real user privileges to members of groups "regularuserx" and "regularusery". \n                                    Visibility of the whole file system and subject to regular UNIX file permissions\n \n \n \n realuser user4 - Assign real user privileges to user id "user4". \n\n \n\n \n\n \n\n restricted-uid user1 user2 user3 - Restricts FTP to the specified directories\n \n \n \n guest-root /home/user1/public_html user1\n guest-root /home/user2/public_html user2\n   guest-root /home/user3/public_html user3\n\n\nRemarque:\n\n\nuser1, user2 et user3 refer to login accounts. Use the appropriate login name.\n\nThe above configuration disables anonymous FTP which allows anyone to\nperform an FTP login with the id anonyme and an email address as a\npassword. To enable anonymous FTP, change the classe directive to:\n\n class all real,guest,anonymous *\n \n\nGUI FTP configuration tools:\n\n/usr/bin/kwuftpd\n \n/sbin/linuxconf\n (Note: Linuxconf is no longer included with Red Hat 7.3 and later)\n \n\n\nRed Hat Linux assigns users a user id and group id which is the same.\n    This means that it does not matter if you use a realuser ou\n realgroup directive as they will act the same.\n\nRed Hat Linux 7.1 and later uses the xinet daemon to manage ftp connections.\n    Thus xinetd must be running and configured to support ftp. le\n    configuration file is /etc/xinetd.d/wu-ftpd.\n    The command chkconfig wu-ftpd on will make the ftp server available.\n    See xinet configuration for more info.\n\nAllow override of deny-uid et / ou deny-gid:\n\n allow-uid user-to-allow\n \n \n \n allow-gid group-to-allow\n \n\nOptional configuration:\n\nCreate a group ftpchroot\n \nAdd users to this group\n \nUse directive: guestgroup ftpchroot\n \n\n\n\n\n[Potential Pitfall]: Flaky ftp behavior,\ntimeouts, etc?? FTP works best with name resolution of the computer it is\ncommunicating with.\nThis requires proper /etc/resolv.conf and name server (bind)\nconfiguration, /etc/hosts or NIS/NFS configuration.\n\n\nFichier /home/user1/public_html/etc/pathmsg:\n\n\n \n \n \n A NOTE TO USERS UPLOADING FILES:\n   File names may consist of letters (a-z, A-Z), numbers (0-9),\n   an under score ("_"), dash ("-") or period (".") only.\n   The file name may not begin with a period or dash.\n   You have tried to upload a file with an inappropriate name.\n\n\nThe whole point of the chroot directory is to make the\nuser's home directory appear to be the root of the\nfilesystem (/) so one could not wander around the filesystem.\nConfiguration of /etc/ftpaccess will limit the user to their respective\ndirectories while still offering access to /bin/ls and other system commands\nused in FTP operation.\n\nAs root:\n\n\n \n \n \n cd /home/user1\n mkdir public_html\n   chown $1.$1 public_html\n   touch .rhosts - Security protection\n chmod ugo-xrw .rhosts \n\n\nMan Pages:\nServeur:\n\nftpd – Internet File Transfer Protocol server\n\n\nFile Formats:\n\n/etc/ftpaccess – Configuration file for ftpd\n\n/etc/ftpservers – ftpd virtual hosting configuration file. (optionnel)\n\n/etc/ftphosts – allow or deny access to certain accounts from various hosts. (optionnel)\n\n/etc/ftpconversions – ftpd conversions database (for tar and compression)\n\n/var/log/xferlog – FTP server logfile\n\nftp – File Transfer Client program\n\n\nConfiguration files: (RH 8.0+)\n\nPAM configuration file: /etc/pam.d/ftp\n\n\n\n\n#%PAM-1.0\nauth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed\nauth required pam_stack.so service=system-auth\nauth required pam_shells.so\naccount required pam_stack.so service=system-auth\nsession required pam_stack.so service=system-auth\n\n\nXinetd configuration file: /etc/xinetd.d/wu-ftpd\n\n\n\n\nservice ftp\n\n        disable = no\n        socket_type = stream\n        wait = no\n        user = root\n        server = /usr/sbin/in.ftpd\n        server_args = -l -a\n        log_on_success += DURATION USERID\n        log_on_failure += USERID\n        nice = 10\n\n \nNote: wu-FTPd is controlled by xinetd and not a stand alone service like vsFTPd.\n\nLogrotate configuration file: /etc/logrotate.d/ftpd\n/var/log/xferlog nocompress\n\n\nPlus d'information:\nMan pages on related FTP commands and files:\n\nchroot – Run with a special root directory\n \nftpcount – Show number of concurrent users.\n \nftpshut – close down the ftp servers at a given time\n \nftprestart – Restart previously shutdown ftp servers\n \nftpwho – show current process information for each ftp user\n \nprivatepw – Change WU-FTPD Group Access File Information (admin command)\n \n\nOther FTP daemons:\nFTP Pitfalls:\n\nIf you get the following error:\n\nftp> ls227 Entering Passive Mode (208,188,34,109,208,89)ftp: connect: No route to host\nThis means you have firewall issues most probably on the FTP server itself.\nStart by removing the firewall "iptables" rules: iptables -F\nAdd rules until you discover what is causing the problem.\n\nPassive mode:\nPassive mode can also help one past the rules:\nftp> passivePassive mode on.\nThis toggles passive mode on and off.\nWhen on, FTP will be limited to ports specified in the vsftpd configuration file: vsftpd.conf with the parameters pasv_min_port et pasv_max_port\nFirewall connection tracking module:\n# cat /etc/sysconfig/iptables-config | grep ip_nat_ftpIPTABLES_MODULES="ip_conntrack_ftp"\nNAT firewall modules:\nYou can also try adding ip_nat_ftp to the list of auto-loaded modules:\n(This will also load the dependency: ip_conntrack_ftp.)\n# cat /etc/sysconfig/iptables-config | grep ip_nat_ftpIPTABLES_MODULES="ip_nat_ftp"\nThen restart the firewall: /etc/init.d/iptables condrestart\nFTP will change ports during use. le ip_conntrack_ftp module will\nconsider each connection "RELATED". If iptables allows RELATED and ESTABLISHED connections then FTP will work.\ni.e. rule: /etc/sysconfig/iptables\n\n-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\nFTP fails because it can not change to the users home directory:\nErreur:\n\n[user1@nodex ~]$ ftp node.domain.com\n\n\n\nConnected to XXX.XXX.XXX.XXX.\n530 Please login with USER and PASS.\n530 Please login with USER and PASS.\nKERBEROS_V4 rejected as an authentication type\nName (XXX.XXX.XXX.XXX:user1):\n331 Please specify the password.\nMot de passe:\n500 OOPS: cannot change directory:/home/user1\nLogin failed.\nftp> bye\n\nThis is often a result of SELinux preventing the vsftpd process from accessing the user's home directory.\nAs root, grant access with the following command:\nsetsebool -P ftp_home_dir 1\nFollowed by: service vsftpd restart\n\nTest your vsftpd SELinux settings: getsebool -a | grep ftp\n\n\n\n\n\nallow_ftpd_anon_write --> off\nallow_ftpd_full_access --> off\nallow_ftpd_use_cifs --> off\nallow_ftpd_use_nfs --> off\nallow_tftp_anon_write --> off\nftp_home_dir --> on\nftpd_disable_trans --> off\nftpd_is_daemon --> on\nhttpd_enable_ftp_server --> off\ntftpd_disable_trans --> off\n\nFTPd SELinux man page\n\nFTP Linux clients:\n\n\ngftp: GUI GTK+\nMulti-threaded client. File transfer directory browsing and compare.\nMultiple protocols: FTP, FTPS (control connection only), HTTP, HTTPS,\nSSH and FSP protocols. Proxy support. Comes with Red Hat / Fedora Core.\n \nKFTPgrabber: GUI KDE based client.simultaneous FTP sessions in separate tabs. Ability to limit upload and download speed.\n \nkbear:\nGUI KDE based client. Connect to multiple servers, transfer files,\ndirectory browsing, file content browsing. Comes with S.U.S.e. Linux.\n \nftp: (/usr/kerberos/bin/ftp) kerberos enabled console ftp client. (RPM package FC3: krb5-workstation)\n \n\nBasic user security:\n\nWhen hosting web sites, there is no need to grant a shell account which only\nallows the server to have more potential security holes. Current systems can\nspecify the user to have only FTP access with no shell by granting them the\n"shell" /sbin/nologin provided with the system or the "ftponly"\nshell described below. The shell can be specified in the file /etc/passwd of when creating a user with the command adduser -s /sbin/nologin user-id\n \n\n [Potential Pitfall]: Red Hat 7.3 server with wu-ftp server 2.6.2-5\ndoes not support this configuration to prevent shell access.\nIt requires users to have a real user shell.\nc'est à dire. / bin / bash It works great in older and current Red Hat versions.\nIf it works for you, use it, as it is more secure to deny the user shell access. You can always deny telnet access.\nYou should NOT be using this problem ridden version of ftpd. Use the latest\nwu-ftpd-2.6.2-11 which supports users with shell /opt/bin/ftponly\n \n\n [Potential Pitfall]: Ubuntu – Setting the shell to the pre-configured shell /bin/false will NOT allow vsftp access.\nOne must create the shell "ftponly" as defined below to allow vsftp access with no shell.\n \n\nDisable remote telnet login access allowing FTP access only:\n\n Change the shell for the user in /etc/passwd de / bin / bash être /opt/bin/ftponly.\n \n\n\n\n\n...\nuser1:x:502:503::/home/user1:/opt/bin/ftponly\n...\n \n Create file: /opt/bin/ftponly.\n Protection set to -rwxr-xr-x 1 root root \n with the command: chmod ugo+x /opt/bin/ftponly\n Contents of file:\n \n\n\n\n\n\n#!/bin/sh\n#\n# ftponly shell\n#\ntrap "/bin/echo Sorry; exit 0" 1 2 3 4 5 6 7 10 15\n#\nAdmin=root@your-domain.com\n#System=`/bin/hostname`@`/bin/domainname`\n#\n/bin/echo\n/bin/echo "********************************************************************"\n/bin/echo " You are NOT allowed interactive access."\n/bin/echo\n/bin/echo " User accounts are restricted to ftp and web access."\n/bin/echo\n/bin/echo " Direct questions concerning this policy to $Admin."\n/bin/echo "********************************************************************"\n/bin/echo\n#\n# C'ya\n#\nexit 0\n \n\n The last step is to add this to the list of valid shells on the system.\n Add the line /opt/bin/ftponly à /etc/shells.\n \n Sample file contents: /etc/shells\n \n\n\n\n\n/ bin / bash\n/bin/bash1\n/bin/tcsh\n/bin/csh\n/opt/bin/ftponly\n \n See man page on /etc/shells.\n\nAn alternative would be to assign the shell /bin/false ou /sbin/nologin qui est devenu\navailable in later releases of Red Hat, Debian and Ubuntu. In this case the shell /bin/false ou /sbin/nologin would have to be added to /etc/shells to allow them to be used as a valid shell for FTP while disabling ssh or telnet access.\n \n\nSet file quotas to limit user account.\n \n\nFor more on Linux security see the: YoLinux.com Internet web site Linux server security tutorial\n \nDomain Name Server (DNS) configuration using Bind version 8 or 9:\n\nTwo of the most popular ways to configure the program Bind\n(Berkeley Internet Domain software) to perform DNS\nservices is in the role of (1) ISP or (2) Web Host.\n \n\nIn an ISP configuration for clients (web surfers) connected to the internet, the DNS server must resolve IP addresses for any\nURL the user wishes to visit. (See DNS caching server)\n \nIn a purely web hosting configuration, Bind will only resolve for the\nIP addresses of the domains which are being hosted. This is the configuration\nwhich will be discussed and is often called an "Authoritative-only Nameserver".\n \n\nWhen resolving IP addresses for a domain, Internic is\nexpecting a "Primary"\nand a "Secondary" DNS name server. (Sometimes called Master and Slave)\nEach DNS name server requires the file /etc/named.conf and the files it\npoints to.\nThis is typically two separate computer systems hosted on two different\nIP addresses. It is not necessary that the Linux servers be dedicated to\nDNS as they may run a web server, mail server, etc.\n\n\n Note on Bind versions: Red Hat versions 6.x used Bind version 8.\nRelease 7.1 of Red Hat began using Bind version 9 and the GUI configuration\noutil bindconf was introduced for those of you that like a pretty\npoint and click interface for configuration.\n \nInstallation Packages:\n \n\nRed Hat / Fedora Core / CentOS: bind, bind-chroot, bind-libs, bind-utils, system-config-bind\n\nbind-chroot: Security jail for operation of bind.\nbind-utils: Utility commands like nslookup, host, dig\nsystem-config-bind: GUI config tool system-config-bind and related configuration files (/etc/security/console.apps/bindconf).\ncaching-nameserver: We will not be covering this as it is not required for web hosting. This is used by internet providers so their clients can cache the DNS entries of the sites they are visiting.\n\n\nUbuntu (dapper/hardy/natty) / Debian: bind9\n \n\nConfiguration files:\n\n\n Red Hat / Fedora / CentOS:\n\n\n\nFichier\nLa description\nDirectory\nChrooted Directory\n\n\n\n\nnamed.conf\nPrimary/Secondary DNS server configuration.(See default file /usr/share/doc/bind-9.X.X/sample/etc/named.conf)\n/etc/\n/var/named/chroot/etc/\n\n\nnamed.root.hints\nConfiguration for recursive service. Required for all zones.(See default file /usr/share/doc/bind-9.X.X/sample/etc/named.root.hints)\n/etc/\n/var/named/chroot/etc/\n\n\nnommé\nRed Hat system variables.\n/etc/sysconfig/\npas de changement\n\n\nrndc.key\nPrimary/Secondary DNS server configuration.\n/etc/\n/var/named/chroot/etc/\n\n\nZone files\nConfiguration files for each domain. Create this file to resolve host name internet queries i.e. define IP address of web (www) and mail servers in the domain.\n/var/named/\n/var/named/chroot/var/named/\n\n\n\n Debian / Ubuntu:\n\n\n\nFichier\nLa description\nDirectory\nChrooted Directory\n\n\n\n\nnamed.confnamed.conf.optionsnamed.conf.local\nPrimary/Secondary DNS server configuration.\n/etc/bind/\n/var/bind/chroot/etc/bind/\n\n\nrndc.key\nPrimary/Secondary DNS server configuration.\n/etc/\n/var/bind/chroot/etc/\n\n\nZone files\nConfiguration files for each domain.\n/var/bind/data/\n/var/bind/chroot/var/bind/data/\n\n\n\nPrimary server (master):\n File: named.conf\nRed Hat / Fedora Core / CentOS: /etc/named.conf (chroot dir: /var/named/chroot/etc/named.conf) et /etc/sysconfig/named for system variables.\n Ubuntu / Debian: /etc/bind/named.conf Place local definitions in /etc/bind/named.conf.options et /etc/bind/named.conf.local\n Simple example: (no views)\n\noptions - Ubuntu stores options in /etc/bind/named.conf.options\n \n \n \n version "Bind"; - Don't disclose real version to hackers\n \n \n \n directory "/var/named"; - Specified so relative path names can be used. Full path names still allowed.\n \n \n \n allow-transfer XXX.XXX.XXX.XXX; ; - IP address of secondary DNS\n \n \n \n recursion no;\n        auth-nxdomain no; - conform to RFC1035. (default)\n fetch-glue no; - Bind 8 only! Not used by version 9\n\n\n\n;\n\nzone "localhost" \n        type master;\n        file "/etc/bind/db.local";\n;\nzone "0.0.127.in-addr.arpa" \n        type master;\n        file "/etc/bind/db.127";\n;\n\nzone "your-domain.com" - Ubuntu separates the zone definitions into /etc/bind/named.conf.local \n \n \n \n type master; - Specify master, slave, forward or hint\n \n \n \n file "data/named.your-domain.com"; \n        notify yes; - slave servers are notified when the zone is updated.\n \n \n \n allow-update none; ; - deny updates from other hosts (default: none)\n \n \n \n allow-query any; ; - allow clients to query this server (default: any)\n\n\n\n;\nzone "your-domain-2.com"\n        type master;\n        file "data/named.your-domain-2.com";\n        notify yes;\n;\n\nRemarque:\n\n The omission of zone ".". Required if providing a recursive service.\n\n Ubuntu includes the separated file of zone directives using the directive:\n include "/etc/bind/named.conf.local";\n\n\nBIND Views:\nThe BIND naming service can support "views" which allow various sub-networks (i.e. private internal or public external networks) to have a different domain name resolution result. \n\nIf no views are specified then use the configuration shown above.\n\nThe match-up between the "view" and the view client which receives the DNS information is specified by the match-clients statement.\n\nIf even one view is specified, then ALL zones MUST be associated with a "view".\n\nBind 9 allows for views which allow different zones to be served to different types of clients, localhost, private networks and public networks. This maps to the three view names "localhost_resolver", "interne" and "externe":\n\nlocalhost_resolver: Supports name resolution for the system (localhost) using BIND. Support for use of bind also has to be configured in /etc/nsswitch.conf\n \ninternal: User specified Local Area Network (LAN). If not used to support a local private LAN, remove (or comment out) this view.\n \nexternal: The general public internet defined as client "any".\n \n\n\nIf you are only setting up a caching name server, then only specify the view "localhost_resolver" (delete all other views).\n\nIn order to support a DNS for internet domains using views, one will have to configure an "external" view\n\n\n Typical Red Hat Enterprise 5 example: (Bind 9.3.4 with three "views")\n\noptions\n\n        directory "/var/named"; // the default\n        dump-file "data/cache_dump.db";\n        statistics-file "data/named_stats.txt";\n        memstatistics-file "data/named_mem_stats.txt";\n\n;\nenregistrement\n\n    // By default, SELinux policy does not allow named to modify the /var/named\n    // directory, so put the default debug log file in data/ :\n \n        channel default_debug \n                file "data/named.run";\n                severity dynamic;\n        ;\n;\nview "localhost_resolver"\n\n    // This view sets up named to be a localhost resolver ( caching only nameserver ).\n    // If all you want is a caching-only nameserver, then you need only define this view:\n    match-clients localhost; ;\n    ...\n;\nview "internal"\n\n    // This view will contain zones you want to serve only to "internal" clients\n    // that connect via your directly attached LAN interfaces - "localnets" .\n    // For local private LAN. Not covered in this tutorial.\n    // Delete this view if web hosting with no local LAN.\n    match-clients localnets; ;\n    ...\n;\nkey ddns_key\n\n        algorithm hmac-md5;\n        secret "use /usr/sbin/dns-keygen to generate TSIG keys";\n;\nview "external"\n\n    // This view will contain zones you want to serve only to "external" \n    // public internet clients. This is covered below.\n    match-clients any; ;\n    ...\n    ..\n;\n \n Default configuration files: Red Hat may supply the default configuration in: /usr/share/doc/bind-9.X.X/sample/etc/named.conf\n\ncp /usr/share/doc/bind-9.X.X/sample/etc/named.conf /var/named/chroot/etc\ncp /usr/share/doc/bind-9.X.X/sample/etc/named.root.hints /var/named/chroot/etc\nchcon -u system_u -r object_r -t named_conf_t /var/named/chroot/etc/named.conf /var/named/chroot/etc/named.root.hints\n\n view "localhost_resolver": If supporting a caching DNS server (not required to support a web domain) you will also need the files:\n\ncp /usr/share/doc/bind-9.X.X/sample/etc/named.rfc1912.zones /var/named/chroot/etc\ncp /usr/share/doc/bind-9.X.X/sample/var/named/localdomain.zones /var/named/chroot/var/named\n also from /usr/share/doc/bind-9.X.X/sample/var/named/: localhost.zones, named.local, named.zero, named.broadcast, named.ip6.local, named.root\n\n view "external": (master) – details –\n\nview "external"\n\n/* This view will contain zones you want to serve only to "external" clients\n * that have addresses that are not on your directly attached LAN interface subnets:\n * /\n        match-clients any; ;\n        match-destinations any; ;\n        allow-transfer XXX.XXX.XXX.XXX; ; - IP address of secondary DNS\n\n \n\n \n\n \n\n recursion no;\n        // you'd probably want to deny recursion to external clients, so you don't\n        // end up providing free DNS service to all takers\n\n        // all views must contain the root hints zone:\n        include "/etc/named.root.hints";\n\n        // These are your "authoritative" external zones, and would probably\n        // contain entries for just your web and mail servers:\n\n        zone "your-domain.com" \n                type master;\n                file "/var/named/data/external/named.your-domain.com";\n                notify yes;\n                allow-update none; ;\n        ;\n \n // You can also add the zones as a separate file like they do in Ubuntu by adding the following statement\n \n \n \n include "/etc/named.conf.local"; \n;\n\n\nDNS key:\n\nUse the following command /usr/sbin/dns-keygen to create a key.\nAdd this key to the "secret" statement as follows:\n\nkey ddns_key\n\n        algorithm hmac-md5;\n        secret "XlYKYLF5Y7YOYFFFY6YiYYXyFFFFBYYYYFfYYYJiYFYFYYLVrnrWrrrqrrrq";\n;\n\nMan Pages:\n\n\nForward Zone File: /var/named/named.your-domain.com\n\nRed Hat 9 / CentOS 3: /var/named/named.your-domain.com\n Red Hat EL4/5, Fedora 3+, CentOS 4/5: [Chrooted] /var/named/chroot/var/named/data/named.your-domain.com\n Red Hat EL4/5, Fedora 3+, CentOS 4/5: /var/named/data/named.your-domain.com\n Ubuntu / Debian: /etc/bind/data/named.your-domain.com\n\n$TTL 604800 - Bind 9 (and some of the later versions of Bind 8) requires $TTL statement.\n                     Measured in seconds. This value is 7 days.\nyour-domain.com. IN SOA ns1.your-domain.com. hostmaster.your-domain.com. (\n   2000021600 ; en série - Many people use year+month+day+integer as a system.\n \n \n \n 86400 ; rafraîchir - How often secondary servers (in seconds) should check in for changes in serial number. (86400 sec = 24 hrs)\n \n \n \n 7200 ; réessayez - How long secondary server should wait for a retry if contact failed.\n \n \n \n 1209600 ; expirer - Secondary server to purge info after this length of time.\n \n \n \n 86400 ) ; default_ttl - How long data is held in cache by remote servers.\n \n \n \n IN A XXX.XXX.XXX.XXX - Note that this is the default IP address of the domain. \n                                     I put the web server IP address here so that domain.com points to the same servers as www.domain.com\n\n\n\n;\n; Name servers for the domain\n;\n       IN NS ns1.your-domain.com.\n       IN NS ns2.your-domain.com.\n;\n; Mail server for domain\n;\n       IN MX 5 mail - Identify "mail" as the node handling mail for the domain. Faire NE PAS specify an IP address!\n\n\n\n;\n; Nodes in domain\n;\nnode1 IN A XXX.XXX.XXX.XXX - Note that this is the IP address of node1\n\n\n\nns1 IN A XXX.XXX.XXX.XXX - Optional: For hosting your own primary name server. Note that this is the IP address of ns1\n\n\n\nns2 IN A XXX.XXX.XXX.XXX - Optional: For hosting your own secondary name server. Note that this is the IP address of ns2\n\n\n\nmail IN A XXX.XXX.XXX.XXX - Identify the IP address for node mail.\n\n\n\n;\n; Aliases to existing nodes in domain\n;\nwww IN CNAME node1 - Define the webserver "www" to be node1.\n\n\n\nftp IN CNAME node1 - Define the ftp server to be node1.\n \nDNS record types and format:\n \n\n\n\nDNS record\nDescription and Format\n\n\n\n\nSOA\nStart of Authority: Primary domain server and contact info\n Note that there is a period following the primary domain server and contact email.\n Note that the email address is in the form where the first period represents the "@" symbol of the email address.\n\nyour-domain.com in SOA ns1.your-domain.com. webmaster.your-domain.com.\n\nou\n\n@ in SOA ns1.your-domain.com. webmaster.your-domain.com.\n\n[Potential Pitfall]: Incorrect specification of the primary name server may result in the following message in /var/log/messages:\n\nview localhost_resolver: received notify for zone 'your-domain.com': not authoritative\n\n\n\n\nSOA attribute\nLa description\n\n\n\n\nen série\nNever use a value greater than 2147483647 for a 32 bit processor.Increment to a higher value to indicate an update to the slave server.\n\n\nrafraîchir\nTime increment (seconds) between update checks of the serial number with the primary server\n\n\nréessayez\nTime elapsed before a slave will contact the primary server if a connection failed\n\n\nexpirer\nTime till primary server information is considered invalid and should be refreshed if there is a new DNS query\n\n\nle minimum\nTime for DNS servers should hold domain information in their cache before purging\n\n\n\n\n\n\nDANS\nIndicate Internet.\n\n\nNS\nSpecify the Authoritative Name servers for the domain.\n\n\nUNE\nSpecify the IP address associated with the host name.Format: nom d'hôte IN A XXX.XXX.XXX.XXXNote that in my example, no hostname is specified for the first record. This will define the default for the domain.\n\n\nCNAME\nSpecify an alias for the host name.\n\n\nMX\nMail exchange record. Specify a priority number for the primary and back-up mail servers. The lowest number indicates the default mail server for the domain\n\n\nPTR\nUsed to specify the reverse DNS lookup\n\n\n\nMX records for 3rd party off-site mail servers:\n\nyour-domain.com. IN MX 10 mail1.offsitemail.com.\nyour-domain.com. IN MX 20 mail2.offsitemail.com.\n \nAppend to the above example file.\n Initial configuration:\n Note that Red Hat may supply the default zone configuration in: /usr/share/doc/bind-9.X.X/sample/var/named/\n\ncp /usr/share/doc/bind-9.X.X/sample/var/named/localhost.zone /var/named/chroot/var/named/data/\ncp /usr/share/doc/bind-9.X.X/sample/var/named/localdomain.zone /var/named/chroot/var/named/data/\ncp /usr/share/doc/bind-9.X.X/sample/var/named/named.broadcast /var/named/chroot/var/named/data/\ncp /usr/share/doc/bind-9.X.X/sample/var/named/named.ip6.local /var/named/chroot/var/named/data/\ncp /usr/share/doc/bind-9.X.X/sample/var/named/named.zero /var/named/chroot/var/named/data/\ncp /usr/share/doc/bind-9.X.X/sample/var/named/named.local /var/named/chroot/var/named/data/\ncp /usr/share/doc/bind-9.X.X/sample/var/named/named.root /var/named/chroot/var/named/data/\ncd /var/named/chroot/var/named/data/\nchcon -u system_u -r object_r -t named_cache_t localhost.zone localdomain.zone named.broadcast named.ip6.local named.zero named.root named.local\n\n A file suffix of "zone" is also common i.e. your-domain.com.zone\nSecondary server (slave):\n File: named.conf\nRed Hat / Fedora Core / CentOS: /etc/named.conf\n Ubuntu / Debian: /etc/bind/named.conf\n Simple example with no views:\n\noptions - Ubuntu stores options in /etc/bind/named.conf.options\n \n \n \n version "Bind"; - Don't disclose real version to hackers\n \n \n \n directory "/var/named";\n allow-transfer none; ; - Slave is not transfering updates to anyone else\n \n \n \n recursion no;\n        auth-nxdomain no; - conform to RFC1035. (default)\n fetch-glue no; - Bind 8 only! Not used by version 9\n\n\n\n;\nzone "localhost" \n        type master;\n        file "/etc/bind/db.local"; - Ubutu: /etc/bind/db.local, Red Hat: /var/named/named.local\n\n\n\n;\nzone "0.0.127.in-addr.arpa" \n        type master;\n        file "/etc/bind/db.127";\n;\n\nzone "your-domain.com"\n        type slave; \n        file "named.your-domain.com"; - Specify slaves/named.your-domain.com for RHEL chrooted bind\n masters XXX.XXX.XXX.XXX; ; - IP address of primary DNS\n\n\n\n;\nzone "your-domain-2.com"\n        type slave; \n        file "named.your-domain-2.com";\n        masters XXX.XXX.XXX.XXX; ;\n;\n \n view "external": (slave)\n\nview "external"\n\n        match-clients any; ;\n        match-destinations any; ;\n        allow-transfer aucun; ; - Slave does not transfer to anyone, slave receives\n \n \n \n recursion no;\n        include "/etc/named.root.hints";\n\n        zone "your-domain.com" \n                type slave;\n                file "/var/named/slaves/external/named.your-domain.com";\n                notify no; - Slave does not notify, slave is notified by master\n \n \n \n masters XXX.XXX.XXX.XXX; ; - State IP of master server\n \n \n \n ;\n;\n\nNote: RHEL, CentOS, Fedora use chrooted directory structure\npermissions which require the use of the slaves sub-directory /var/named/slaves\n Slave Zone Files: These are transfered from master to slave and cached by slave. There is no need to generate a zone file on the slave.\n Information additionnelle:\n\n [Potential Pitfall]: Ubuntu dapper/hardy/natty – Path names used can not violate Apparmor security rules as defined in /etc/apparmor.d/usr.sbin.named. Note that the slave files are typically named "/var/lib/bind/named.your-domain.com" as permitted by the security configuration.\n \n\n [Potential Pitfall]: Ubuntu dapper/hardy/natty – Create log file and set ownership and permission for file not created by installation:\n \n\ntouch /var/log/bindlog\n \nchown root.bind /var/log/bindlog\n \nchmod 664 /var/log/bindlog\n \n\n\n [Potential Pitfall]: Error in /var/log/messages:\n \n\n\n\n\ntransfer of 'yolinux.com/IN' from XXX.XXX.XXX.XXX#53: failed while receiving responses: permission denied\n \nNamed needs write permission on the directory containing the file. Ce\ncondition often occurs for a new "slave" or "secondary" name server\nwhere the zone files\ndo not yet exist. The default (RHEL, CentOS, Fedora, …): \n\ndrwxr-x--- 4 root named 4096 Aug 25 2004 named\n \ndrwxrwx--- 2 named named 4096 Sep 17 20:37 slaves\n \n\nFix: In named.conf specify that the slaves to go to slaves directory /var/named/chroot/var/named/slaves with the directive:\nfile "slaves/named.your-domain.com";\nBind Defaults:\n \nAfter the configuration files have been edited, restart the name daemon.\n \n\n /etc/init.d/named restart\n \n(Note: Ubuntu / Debian restart: /etc/init.d/bind9 restart)\n\nBind zone transfers work best if the clocks of the two systems are synchronised.\nSee the YoLinux SysAdmin Tutorial: Time and ntpd\n \n\n File: /var/named/named.your-domain.com\nThis is created for you by Bind on the slave (secondary) server when it replicates from Primary server.\n \n\n\n DNS GUI configuration:\n \n\nRed Hat EL 4/5, Fedora 2-10: /usr/bin/system-config-bind\n \nRed Hat 8/9, Fedora Core 1: /usr/bin/redhat-config-bind\n \n\n \n\nTest DNS:\nMust install packages:\n \n\nRed Hat / Fedora Core / SuSE: bind-utils\n \nUbuntu (dapper/hardy/natty) / Debian: bind9-host\n \n\nTest the name server with the\n          hôte\ncommand in interactive mode: \n hôte node.domain-to-test.com your-nameserver-to-test.domain.com\n \nNote: The name server may also be specified by IP address.\n \nou\n \nTest the name server with the\n          nslookup\ncommand in interactive mode:\n \n nslookup> server your-nameserver-to-test.domain.com\n \n \n \n > node.domain-to-test.com\n > exit\n \nTest the MX record if appropriate:\n \n nslookup -querytype=mx domain-to-test.com\n \n OU\n\n host -t mx domain-to-test.com\n \nTest using the dig command:\n \n dig @name-server domain-to-query\n\n OU\n\n dig @IP-address-of-name-server domain-to-query\n \nTest your DNS with the following DNS diagnostics web site: DnsStuff.com\n \n\nExtra logging to monitor Bind:\nAdd the following to your /etc/named.conf file.\n\nlogging \n        channel bindlog \n // Keep five old versions of the log-file (rotates logs)\n \n \n \n file "/var/log/bindlog" versions 5 size 1m;\n                           print-time yes;\n                           print-category yes;\n                           print-severity yes;\n                        ;\n/* If you want to enable debugging, eg. using the 'rndc trace' command,\n * named will try to write the 'named.run' file in the $directory (/var/named).\n * By default, SELinux policy does not allow named to modify the /var/named directory,\n * so put the default debug log file in data/ :\n * /\n        channel default_debug \n                file "data/named.run";\n                severity dynamic;\n        ;\n        category xfer-out bindlog; ; - Zone transfers\n \n \n \n category xfer-in bindlog; ; - Zone transfers\n \n \n \n category security bindlog; ; - Approved/unapproved requests\n\n\n\n\n\n\n\n// The following logging statements, panic, insist and response-checks are \n// valid for Bind 8 only. Do not user for version 9.\n category panic bindlog; ; - System shutdowns\n \n \n \n category insist bindlog; ; - Internal consistency check failures\n \n \n \n category response-checks bindlog; ; - Messages\n\n\n\n;\n \n\nChroot Bind for extra security:\nNote: Most modern Linux distributions default to a "chrooted" installation.\nThis technique runs the Bind name service with a view of the filesystem\nwhich changes the definition of the root directory "/" to a directory\nin which Bind will operate. c'est à dire. /var/named/chroot.\n\nThe following example uses the Red Hat RPM bind-8.2.3-0.6.x.i386.rpm. Applies to Bind version 9 as well.\n \nThe latest RedHat bind updates run the named as user "named" to avoid a lot of\nearlier hacker exploits. To chroot the process is to create an even more\nsecure environment by limiting the view of the system that the process\ncan access. The process is limited to the chrooted directory assigned.\n \nThe chroot of the named process to a directory under a given user will\nprevent the possibility of an exploit which at one time would result in\nroot access.\nThe original default RedHat configuration (6.2) ran the named process as root,\nthus if an exploit was found, the named process will allow the hacker to use\nthe privileges of the root user. (no longer true)\n \nNamed Command Sytax:\n \n named -u utilisateur -g groupe -t directory-to-chroot-to\n \nExemple:\n named -u named -g named -t /opt/named\nWhen chrooted, the process does not have access to system\nlibraries thus a\nlocal lib directory is required with the appropriate library files –\ntheoretically. This does not seem to be the case here and as noted\nabove in chrooted FTP.\nIt's a mystery to me but it works????\nAnother method to handle libraries is to re-compile the named binary\nwith everything statically linked. Ajouter -static to the compile options.\nThe chrooted process should also require a local /etc/named.conf etc… but doesn't seem to???\n \nScript to create a chrooted bind environment:\n \n\n\n\n\n#!/bin/sh\ncd /opt\nmkdir named\ncd named\nmkdir etc\nmkdir bin\nmkdir var\ncd var\nmkdir named\nmkdir run\ncd ..\nchown -R named.named bin etc var\n\nYou can probably stop here. If your system acts like a chrooted system should,\nthen continue with the following:\n\ncp -p /etc/named.conf etc\ncp -p /etc/localtime etc\ncp -p /bin/false bin\necho "named:x:25:25:Named:/var/named:/bin/false" > etc/passwd\necho "named:x:25:" > etc/group\ntouch var/run/named.pid \n\nsi [ -f /etc/namedb ]\npuis\n   cp -p /etc/namedb etc/namedb\nFi\n\nmkdir dev\ncd dev\n\n# Create a character unbuffered file.\nmknod -m ugo+rw null c 1 3 \n\ncd ..\nchown -R named.named bin etc var\n\nAdd changes to the init script: /etc/rc.d/init.d/named\n\n\n\n\n\n#!/bin/bash\n#\n# named This shell script takes care of starting and stopping\n# named (BIND DNS server).\n#\n# chkconfig: - 55 45\n# description: named (BIND) is a Domain Name Server (DNS) \n# that is used to resolve host names to IP addresses.\n# probe: true\n\n# Source function library.\n. /etc/rc.d/init.d/functions\n\n# Source networking configuration.\n. /etc/sysconfig/network\n\n# Check that networking is up.\n[ $NETWORKING = \"no\" ] && exit 0\n\n[ -f /etc/sysconfig/named ] && . /etc/sysconfig/named \n\n[ -f /usr/sbin/named ] || exit 0\n\n[ -f /etc/named.conf ] || exit 0\n\nRETVAL=0\n\nstart() \n        # Start daemons.\n        echo -n "Starting named: "\n        daemon named -u named -g named -t /opt/named # Change made here\n\tRETVAL=$?\n \t[ $RETVAL -eq 0 ] && touch /var/lock/subsys/named\nécho\n\treturn $RETVAL\n\nstop() \n        # Stop daemons.\n        echo -n "Shutting down named: "\n        killproc named\n\tRETVAL=$?\n\t[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/named\n        écho\n\treturn $RETVAL\n\nrhstatus() \n\t/usr/sbin/ndc status\n\treturn $?\n\nrestart() \nArrêtez\ndébut\n\nreload() \n\t/usr/sbin/ndc reload\n\treturn $?\n\nprobe() echo start\n\treturn $?\n\n\n# See how we were called.\ncase "$1" in\n\tstart)\ndébut\n\t\t;;\n\tstop)\nArrêtez\n\t\t;;\n\tstatus)\n\t\trhstatus\n\t\t;;\n\trestart)\nredémarrer\n\t\t;;\n\tcondrestart)\n\t\t[ -f /var/lock/subsys/named ] && restart || :\n\t\t;;\n\treload)\nrecharger\n\t\t;;\n\tprobe)\nsonde\n\t\t;;\n\t*)\n        \techo "Usage: named condrestart"\nsortie 1\nesac\n\nexit $?\n\n\n\nNote: The current version of bind from the RedHat errata updates and security\nfixes (http://www.redhat.com/support/errata/)\nruns the named process as user "named" in the home (not chrooted) directory\n /var/named with no shell available. (named -u named)\nThis should be secure enough.\nProceed with a chrooted installation if your are paranoid.\n \nVoir:\n \n\n\n Chrooted DNS configuration:\n \nModern releases of Linux (i.e. Fedore Core 3, Red Hat Enterprise Linux 4)\ncome pre-configured to use "chrooted" bind. This security feature forces\neven an exploited version of bind to only operate within the "chrooted" jail\n /var/named/chroot\nwhich contains the familiar directories:\n \n\n/var/named/chroot/etc: Configuration files\n \n/var/named/chroot/dev: devices used by bind:\n\n /dev/null\n \n /dev/random\n \n /dev/zero\n \n\n (Real devices created with the mknod command.)\n \n/var/named/chroot/var: Zone files and configuration information.\n \n\nThese directories are generated and configured by the Red Hat/Fedora RPM package "bind-chroot".\n\nIf building from source you will have to generate this configuration manually:\n \n\nmkdir -p /var/named/chroot\n \nmkdir /var/named/chroot/dev\n \nmknod /var/named/chroot/dev/null c 1 3\n \nmknod /var/named/chroot/dev/zero c 1 5\n \nmknod /var/named/chroot/dev/random c 1 8\n \nchmod 666 -R /var/named/chroot/dev\n \nmkdir -p /var/named/chroot/etc\n \nln -s /var/named/chroot/etc/named.conf /etc/named.conf\n\nmkdir -p /var/named/chroot/var/named\n \nln -s /var/named/chroot/var/named/named.XXXX /var/named/named.XXXX \n \nln -s /var/named/chroot/var/named/named.YYYY /var/named/named.YYYY \n \n…\n \nmkdir -p /var/named/chroot/var/named/slaves\n \nmkdir -p /var/named/chroot/var/named/data\n \nmkdir -p /var/named/chroot/var/run\n \nmkdir -p /var/named/chroot/var/tmp\n\nchown -R named:named /var/named/chroot\n \nchown -R root:named /var/named/chroot/var/named\n \n\n\n\nLoad Balancing of servers using Bind: DNS Round-Robin\nThis will populate DNS caching name servers around the world with different IP addresses for your web server www.your-domain.com\nFichier: /var/named/data/named.your-domain.com\n\n\n\n\n$TTL 604800\nyour-domain.com. IN SOA ns1.your-domain.com. hostmaster.your-domain.com.\n\n...\n...\n\nwww IN A 192.168.1.1\n\n\n\nwww IN A 192.168.1.2\n\n\n\nwww IN A 192.168.1.3\n\n\n\nwww IN A 192.168.1.4\n\n\n\nwww IN A 192.168.1.5\n\n\n\nwww IN A 192.168.1.6\n\n Remarque:\n\nThis example will resolve the www.your-domain.com URL to each of the IP addresses listed, one at a time for each request.\n              First request will resolve to 192.168.1.1, the second request will resolve to 192.168.1.2, etc.\n \nA perfectly even load balance is not possible becaused network service providers run DNS caching servers which hold the resolved IP address for a different number of users.\n \nUsing multiple CNAME's to rotate records is no longer permissible in bind9.\n \nListing a record multiple times with the same IP address will not change the load sharing. Bind will ignore duplicate records.\n \nReducing the time to live (TTL) will cause load sharing to take place more frequently thus responding to a change in servers more quickly.\n \n\nAlso see lbnamed: lbnamed load balancing named\n \n\nBind/DNS Links:\nDomain name registration:\n\nDomain Name Registrars:\n \nAfterNic.com – Domain name exchange and auction.\n \nBuyDomains.com – Buy a domain name that a squatter is holding.\n \n\nNote that the Name registrations policies for the registrars are stated at ICANN.org.\n \n\nYou must renew with the same registrar within five days BEFORE the expiration date. There is no rule for afterwards.\n \nMost free a domain name 30 days after it expires.\n \n\nWeb Server Load Balancing:\n\n Load balancing becomes important if your traffic volume becomes too great for either your server or network connection or both.\n      Multiple options are available for load balancing.\n\nDNS round-robin: Discussed above, this uses DNS to point users to random server in a list of appropriate servers. This spreads the load among the servers in the list.\nUse a Linux Virtual Server to Create a Load Balance Cluster. See next section below.\nRun a reverse proxy. See nginx ("engine X").\n          From a single external internet network connection, route http, smtp, imap or pop3 traffic to various servers on an internal network. Results are pushed back to the nginx proxy for routing to the internet (no caching).\nRun the Apache httpd web server module "mod_proxy" to offload processing of dynamic content to another web server. This acts as a reverse proxy, routing external traffic to various servers on an internal network.\n\nUsing a Linux Virtual Server to Create a Load Balance Cluster:\n\nYou can use a single Linux server to forward requests to a cluster of servers\nusing iptables for IP masquerading and IPVsadm to scale your load.\nThe load balancing server receiving and routing the requests is called the "Linux Virtual Server" (LVS).\nThe LVS receives the requests which are passed to the real servers which\nprocess and reply to the request.\nThis reply is forwarded to the client by the LVS.\n \nThis feature is available with the Linux 2.4/2.6 kernel.\n(If compiling kernel: Networking Options + IP: Virtual Server Configuration)\n \nConfiguration: This example will load balance http traffic to three web servers\nand ftp traffic to a fourth server.\n \n\nEnable Forwarding:\n    (Also see YoLinux Networking Tutorial: Enable Forwarding)\necho "1" > /proc/sys/net/ipv4/ip_forward\n \n\nEnable IP Masquerading:\niptables -t nat -P POSTROUTING DROPiptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n For more on IP Masquerading, iptables and subnet addresses, see the\n    YoLinux network gateway tutorial.\n \nEnable virtual server:\n\nCreate virtual service and choose scheduler for http (80) and ftp (21):\nipvsadm -A -t 66.218.88.103:80 -s wlcipvsadm -A -t 66.218.88.103:21 -s wrr\n Command directives:\n\nA: Add a virtual service defined by IP address, port number, and protocol.\n \n-t: Use TCP service host:port\n \n-s: scheduler:\n\nrr: Robin Robin: distributes jobs equally amongst the avail-\n                            able real servers.\n \nwrr: Weighted Round Robin.\n \nlc: Least-Connection: assigns more jobs to real servers with\n                            fewer active jobs.\n \nwlc: (Default) Weighted Least-Connection: assigns more jobs to servers\n                            with fewer jobs and relative to the real server's weight.\n \nlblc, lblcr, dh, sh, sed, nq. See man page.\n \n\n\n\n\nConfigure load balancing cluser.\nipvsadm -a -t 66.218.88.103:80 -r 176.168.1.1:80 -mipvsadm -a -t 66.218.88.103:80 -r 176.168.1.2:80 -m -w 2ipvsadm -a -t 66.218.88.103:80 -r 176.168.1.3:80 -mipvsadm -a -t 66.218.88.103:21 -r 176.168.1.4:21 -m\n Command directives:\n\n-r: Real server.\n \n-m: Use masquerading also known as network address translation (NAT)\n \n-w: Weight is an integer specifying the capacity of a server relative to the others in the pool. The valid values of weight are 0 through to 65535. The default is 1.\n \n\n\n\n\n\nLinks:\n \nManaging Web Server Daemons:\n\nTo view if these services are\nrunning, type ps -aux and look for the httpd, inetd and named\nservices (daemons). These are background processes necessary to perform\nthe server tasks.\n\n\n \n \n \n root 681 0.0 0.5 2304 744 ? S Sep09 0:01 named\n   nobody 28123 0.0 1.1 3036 1420 ? S Oct06 0:00 httpd\n   nobody 28186 0.0 0.7 3044 896 ? S Oct06 0:00 httpd\n   root 385 0.0 0.1 1136 232 ? S Sep09 0:00 inetd\n\nA new installation will most likely NOT start the named background process\nwhich may be started manually after configuration.\n See the YoLinux Init Process Tutorial\npour plus d'informations.\n The inetd (or xinetd) background process is the Internet daemon which\nstarts FTP when an ftp request is made.\n\nSys Admin Script:\n\nScript to prepare an account: (Red Hat/Fedora)\n\n\n\n\n\n#!/bin/sh\n# Author Greg Ippolito\n# Requires: /opt/etc/AccountDefaults/pathmsg favicon.ico mwh-mini_tr.gif etc.\n# /opt/bin/ftponly\n# You must be root to run this script.\n#\nsi [ $# -eq 0 ]\npuis\n   echo "Enter user id as a command argument"\nelse if [ -r /home/$1 ]\npuis\n   echo "User's home directory already exists"\nautre\n   echo "1) Create user."\n   adduser -m $1\n\n   echo "2) Set user Password."\n   passwd $1\n\n   echo "3) Add read access to user directory so apache can read it."\n   cd /home\n   chmod ugo+rx $1\n   cd $1\n\n   echo "4) Create web directories."\n   mkdir public_html\n   chown $1.$1 public_html\n   chcon -R -h -u system_u -r object_r -t httpd_sys_content_t public_html\n   cd public_html\n   mkdir images\n   chown $1.$1 images\n   chcon -R -h -u system_u -r object_r -t httpd_sys_content_t images\n\n   # Block potential for unauthenticated logins\n   cd ../\n   touch .rhosts\n   chmod ugo-xrw .rhosts\n\n   echo "5) Create default web page"\n   sed "/HEADING/s!HEADING!$1!" /opt/etc/AccountDefaults/default-index.html > index.html\n   cp -p /opt/etc/AccountDefaults/favicon.ico .\n   cp -p /opt/etc/AccountDefaults/default-logo.gif ./images\n   cp -p /opt/etc/AccountDefaults/robots.txt .\n   chown $1.$1 index.html favicon.ico robots.txt\n   chcon -R -h -t httpd_sys_content_t index.html favicon.ico robots.txt\n   chcon -R -h -t httpd_sys_content_t images/default-logo.gif\n\n   echo "6) Edit /etc/passwd file - change user shell to /opt/bin/ftponly"\n   cp -p /etc/passwd /etc/passwd-`date +%m%d%y`\n   sed "/^$1/s!/bin/bash!/opt/bin/ftponly!" /etc/passwd-`date +%m%d%y` > /etc/passwd\n\n#wu-ftp# Requires: /etc/ftpaccess guestuser restrict-uid\n#wu-ftp# echo "7) Add user to /etc/ftpaccess file"\n#wu-ftp# cp -p /etc/ftpaccess /etc/ftpaccess-`date +%m%d%y`\n#wu-ftp# sed "/^guestuser/s!guestuser !guestuser $1 !" /etc/ftpaccess-`date +%m%d%y` > /etc/ftpaccess\n#wu-ftp# sed "/^restricted-uid/s!restricted-uid !restricted-uid $1 !" /etc/ftpaccess-`date +%m%d%y` > /etc/ftpaccess\n#wu-ftp# echo "guest-root /home/$1/public_html $1" >> /etc/ftpaccess\n\n   echo "7) Add user to vsftpd chroot list\n   cat `echo $1` >> /etc/vsftpd/vsftpd.chroot_list\n\n   echo "8) Setting Disk Quotas to default 50Mb limit:"\n# Use user johndoe as a prototype.\n   edquota -p johndoe $1\n\n   echo "9) Admin Follow-up:"\n   echo " Modify quota.user if different than default"\n   echo " Make changes to Bind names services on dns1 and dns2 if necessary"\n   echo " Change /etc/http/conf/httpd.conf or \n   echo " add config to /etc/http/conf.d/ if using a new domain name"\n   echo " Add e-mail aliases to mail server if necessary"\nFi\nFi\n\nFYI: Sample robots.txt files:\n \nUseful links and resources:\n\n\n Livres:\n\n\n\n\n\n\n "Ubuntu Unleashed 2017 edition:"\n Covering 16.10 and 17.04, 17.10 (12th Edition)\n by Matthew Helmke, Andrew Hudson and Paul Hudson\n Sams Publishing, ISBN# 0134511182\n \n \n\n \n \n\n\n\n\n "Ubuntu Unleashed 2013 edition:"\n Covering 12.10 and 13.04 (8th Edition)\n by Matthew Helmke, Andrew Hudson and Paul Hudson\n Sams Publishing, ISBN# 0672336243\n (Dec 15, 2012)\n\n\n \n \n\n\n\n\n "Ubuntu Unleashed 2012 edition:"\n Covering 11.10 and 12.04 (7th Edition)\n by Matthew Helmke, Andrew Hudson and Paul Hudson\n Sams Publishing, ISBN# 0672335786\n (Jan 16, 2012)\n\n\n \n \n\n\n\n\n "Red Hat Enterprise Linux 7: Desktops and Administration"\n by Richard Petersen\n Surfing Turtle Press, ISBN# 1936280620\n (Jan 13, 2017)\n\n\n \n \n\n\n\n\n "Fedora 18 Desktop Handbook"\n by Richard Petersen\n Surfing Turtle Press, ISBN# 1936280639\n (Mar 6, 2013)\n\n\n \n \n\n\n\n\n "Fedora 18 Networking and Servers"\n by Richard Petersen\n Surfing Turtle Press, ISBN# 1936280698\n (March 29, 2013)\n\n\n \n \n\n\n\n\n "Fedora 14 Desktop Handbook"\n by Richard Petersen\n Surfing Turtle Press, ISBN# 1936280167\n (Nov 30, 2010)\n\n\n \n \n\n\n\n\n "Fedora 14 Administration and Security"\n by Richard Petersen\n Surfing Turtle Press, ISBN# 1936280221\n (Jan 6, 2011)\n\n\n \n \n\n\n\n\n "Fedora 14 Networking and Servers"\n by Richard Petersen\n Surfing Turtle Press, ISBN# 1936280191\n (Dec 26, 2010)\n\n\n \n \n\n\n\n\n "Practical Guide to Ubuntu Linux (Versions 8.10 and 8.04)"\n by Mark Sobell\n Prentice Hall PTR, ISBN# 0137003889\n 2 edition (January 9, 2009)\n\n\n \n \n\n\n\n\n "Fedora 10 and Red Hat Enterprise Linux Bible"\n by Christopher Negus\n Wiley, ISBN# 0470413395\n\n\n \n \n\n\n\n\n "Red Hat Fedora 6 and Enterprise Linux Bible"\n by Christopher Negus\n Sams, ISBN# 047008278X\n\n\n \n \n\n\n\n\n "Fedora 7 & Red Hat Enterprise Linux: The Complete Reference"\n by Richard Petersen\n Sams, ISBN# 0071486429\n\n\n \n \n\n\n\n\n "Red Hat Fedora Core 6 Unleashed"\n by Paul Hudson, Andrew Hudson\n Sams, ISBN# 0672329298\n\n\n \n \n\n\n\n\n "Red Hat Linux Fedora 3 Unleashed"\n by Bill Ball, Hoyt Duff\n Sams, ISBN# 0672327082\n\n\n \n \n\n\n\n\n "Red Hat Linux 9 Unleashed"\n by Bill Ball, Hoyt Duff\n Sams, ISBN# 0672325888\n May 8, 2003\n\n I have the Red Hat 6 version and I have found it to be very helpful.\n    I have found it to be way more complete than the other Linux books.\n    It is the most complete general Linux book in publication. While other\n    books in the "Unleashed" series have dissapointed me, this book\n    is the best out there.\n \n\n\n \n \n\n\n\n\n "Apache Server Bible 2"\n by Mohammed J. Kabir\n ISBN # 0764548212, Hungry Minds\n\n This book is very complete covering all aspects in detail. Ce n'est pas\n    your basic reprint of the apache.org documents like so many others.\n \n\n\n \n \n\n\n\n\n "Pro DNS and Bind"\n by Ronald Aitchison\n Apress, ISBN# 1590594940\n \n\n \n \n\n\n\n\n\n\nClick to rate this post!\r\n \r\n [Total: 0 Average: 0]","paragraphs":["Prérequis du site Web:","Ce tutoriel suppose que Linux est installé et fonctionne sur un ordinateur.\nVoir Installation de RedHat\npour les bases. Une connexion à Internet est également supposée.\nUne connexion de 128 Mbits / s ou plus donnera les meilleurs résultats.\nISDN, DSL, modem câble ou mieux sont tous appropriés.\nUn modem 56k fonctionnera mais les résultats seront au mieux médiocres.\nLes tâches doivent également être effectuées avec le nom d'utilisateur et le mot de passe de l'utilisateur root.","Aucune distribution ne semble avoir un avantage. Une distribution Ubuntu, SuSe, Fedora, Red Hat ou CentOS inclura tous les logiciels dont vous aurez besoin pour configurer un serveur Web.\nSi vous utilisez Red Hat Enterprise Linux, l'édition Workstation ou Server répondra à vos besoins, à l'exception du fait que l'édition Workstation n'inclura pas le package vsFTP. Il devra être compilé à partir de la source ou utiliser sftp.","Prérequis logiciels: Le serveur Web Apache (httpd),\nFTP (nécessite xinetd ou inetd)\net Bind (nommé)\nles progiciels avec leurs dépendances sont tous nécessaires.\nOn peut utiliser le rpm commande pour vérifier l'installation:","Fedora Core 1+, Red Hat Enterprise 4/5, CentOS 4/5:","rpm -q httpd bind bind-chroot bind-utils system-config-bind xinetd vsftpd\n \n RPM ajoutés FC2 +: system-config-httpd\n RPM ajoutés FC3 +: httpd-suexec","Chapeau rouge 9.0\n rpm -q httpd lier xinetd vsftpd\nUn RPM wu-ftpd Red Hat 8.0 peut être installé (version plus récente, version 2.6.2 ou ultérieure, avec correctif de sécurité). wu-ftpd-2.6.2-11) ou installer à partir de la source (rev 14).","Red Hat 8.0\n rpm -q httpd lie xinetd wu-ftpd","Red Hat 7.x:\n rpm -q apache bind inetd wu-ftpd\nUtilisez wu-ftpd version 2.6.2 ou ultérieure pour éviter les problèmes de sécurité.","SuSE 9.3:\n rpm -ivh apache2 apache2-prefork lier lier-chrootenv lier-utils vsftpd\nRemarque: apache2-MPM est un terme générique désignant les options d'installation d'Apache.\npour "Modules de traitement multiple (MPM)", "prefork" ou "worker". Si vous essayez\net installez uniquement apache2, vous obtiendrez l’erreur suivante:\n apache2-MPM est nécessaire pour apache2-2.0.53-9\nVoir aussi Apache.org: MPMs","Ubuntu (natty 11.04 / 14.04) / Debian:","apt-get install apache2\n   apt-get install bind9\n   apt-get install vsftpd","Ubuntu (dapper 6.06 / hardy 8.04) / Debian:","apt-get install apache2 apache2 commun apache2-mpm-prefork apache2-utils\n   apt-get install bind9\n   apt-get install vsftpd","Vous devez également avoir une connaissance pratique du processus init Linux afin que ces services soient lancés au démarrage du système.\nConsultez le tutoriel sur le processus d'initialisation YoLinux pour plus d'informations.","Configuration du serveur Web HTTP Apache:","Le fichier de configuration du serveur Web Apache est: /etc/httpd/conf/httpd.conf","Les pages Web sont servies à partir de l'annuaire tel que configuré par le\n DocumentRoot directif. L'emplacement du répertoire par défaut est:","Distribution Linux\nServeur Web Apache "DocumentRoot"","Red Hat 7.x-9, Fedora Core, Red Hat Enterprise 4/5/6, CentOS 4/5/6\n / var / www / html /","Red Hat 6.x et plus\n / home / httpd / html /","Suse 9.x\n / srv / www / htdocs /","Ubuntu (dapper 6.06) / Debian\n / var / www / html","Ubuntu (hardy 8.04 / natty 11.04 / fidèle 14.04) / Debian\n / var / www","La page d'accueil par défaut pour la configuration par défaut est index.html.\nNotez que les pages ne doivent pas appartenir à l'utilisateur apache comme c'est le\npropriétaire du processus du démon du serveur Web httpd. Si le processus du serveur Web est\ncompromis, il ne devrait pas être autorisé à modifier les fichiers. Les fichiers\ndevrait bien sûr être lisible par l'utilisateur apache.","Apache peut être configuré pour s'exécuter de cette manière en tant qu'hôte pour un site Web.\nou il peut être configuré pour servir pour plusieurs domaines. Servir pour plusieurs\nLes domaines peuvent être atteints de deux manières:","Hôtes virtuels: Une adresse IP mais plusieurs domaines – Hébergement virtuel "basé sur le nom".","Plusieurs hôtes virtuels basés sur IP: Une adresse IP pour chaque domaine – Hébergement virtuel "basé sur IP".","La configuration par défaut permettra à l'un d'avoir plusieurs comptes d'utilisateurs\nsous un domaine en utilisant une référence au compte d'utilisateur:\n http: // www.domain.com/ ~ utilisateur1 /.\nSi aucun domaine n'est enregistré ou configuré, l'adresse IP peut également être utilisée:\n http: //XXX.XXX.XXX.XXX/ ~ utilisateur1 /.","[Potential Pitfall] \nLe umask par défaut pour la création de répertoire est correct par défaut mais s'il ne l'est pas, utilisez:\n chmod 755 / home /utilisateur1/ public_html","[Potential Pitfall] Lors de la création de "Annuaire"\ndirectives de configuration,\nJ'ai trouvé que les placer par l'existant "Annuaire"directives\nêtre une mauvaise idée.\nIl n'utiliserait pas le .htaccess fichier. C'était parce que la déclaration\ndéfinir l'utilisation de la .htaccess le fichier était après la\n"Annuaire"déclaration. Précédemment dans RH 6.x\nles fichiers ont été séparés et l'ordre a été défini un peu différent.\nJe place maintenant de nouveaux "Annuaire"déclarations vers la fin du fichier juste\navant le "VirtualHost"déclarations.","Pour les utilisateurs de Red Hat 7.1, l'outil de configuration de l'interface graphique apacheconf\na été introduit pour la foule qui aime utiliser de jolis outils de pointer et cliquer.","Fichiers utilisés par Apache:","Script de démarrage / arrêt / redémarrage:","Red Hat / Fedora / CentOS: /etc/rc.d/init.d/httpd\n \nSuSE 9.3: /etc/init.d/apache2\n \nUbuntu (dapper 6.06 / hardy 8.04 / natty 11.04 / trusty 14.04) / Debian: /etc/init.d/apache2","Fichier de configuration principal Apache:","Red Hat / Fedora / CentOS: /etc/httpd/conf/httpd.conf\n \nSuSE: /etc/apache2/httpd.conf\n (Nécessité d'ajouter une directive: Nom du serveur nom d'hôte)\n \nUbuntu (dapper 6.06 / hardy 8.04 / natty 11.04 / trusty 14.04) / Debian: /etc/apache2/apache2.conf","Fichiers de configuration supplémentaires Apache:","Red Hat / Fedora / CentOS: /etc/httpd/conf.d/composant.conf\n \nSuSE: /etc/apache2/conf.d/composant.conf\n \nUbuntu (dapper 6.06 / hardy 8.04 / natty 11.04 / trusty 14.04) / Debian:","Domaines virtuels: / etc / apache2 / sites-enabled /domaine\n (Créer un lien symbolique à partir de / etc / apache2 / sites-enabled /domaine à / etc / apache2 / sites-available /domaine pour allumer. Utiliser la commande a2ensite)\n \nDirectives de configuration supplémentaires: /etc/apache2/conf.d/\n \nModules à charger: / etc / apache2 / mods-available /\n (Lien symbolique vers / etc / apache2 / mods-enabled / pour allumer)\n \nPorts à écouter: /etc/apache2/ports.conf","/ var / log / httpd / access_log et error_log –\n    Fichiers journaux Apache Red Hat / Fedora Core\n (Suse: / var / log / apache2 /)","Démarrer / Arrêter / Redémarrer les scripts:\nLe script doit être exécuté avec les qualificatifs début, Arrêtez,\n redémarrer ou statut.\n c'est à dire.\n /etc/rc.d/init.d/httpd restart. Un redémarrage permet au serveur Web\npour redémarrer et lire les fichiers de configuration pour prendre en compte les modifications.\nPour que ce script soit appelé au démarrage du système, lancez la commande\n chkconfig --add httpd.\nVoir le tutoriel sur le processus Linux Init pour\nune discussion plus complète.","Aussi outil de contrôle Apache: / usr / sbin / apachectl start","Apache Control Command: apachectl:","Red Hat / Fedora Core / CentOS: apachectl directif","Ubuntu dapper 6.06 / hardy 8.04 / natty 11.04 / trusty 14.04 / Debian: apachectl (lien logiciel vers apache2ctl) ou apache2ctl directif","Directif\nLa description","début\nDémarrez le démon Apache httpd. Donne une erreur s'il est déjà en cours d'exécution.","Arrêtez\nArrête le démon Apache httpd.","gracieux\nRedémarre gracieusement le démon Apache httpd. Si la\nle démon n'est pas en cours d'exécution, il est démarré. Cela diffère d'une normale\nredémarrer en ce que les connexions actuellement ouvertes ne sont pas abandonnées.","gracieux-stop\nArrête gracieusement le démon Apache httpd. Cela diffère d'une normale\nredémarrer en ce que les connexions actuellement ouvertes ne sont pas abandonnées.","redémarrer\nRedémarre le démon httpd Apache. Si le démon est\nne marche pas, c'est commencé. Cette commande vérifie automatiquement la\nfichiers de configuration comme dans configtest avant de lancer le redémarrage\nassurez-vous que le démon ne meurt pas.","statut\nAffiche un bref rapport de statut.","statut complet\nAffiche un rapport d'état complet de\nétat_modal. Requiert l'activation de mod_status sur votre serveur et une base de données textuelle\nnavigateur tel que Lynx disponible sur votre système. L'URL utilisée pour accéder\nle rapport d'état peut être défini en modifiant la variable STATUSURL dans le\nscénario.","configtest-t\nExécutez un test de syntaxe du fichier de configuration.","Outil de contrôle Apache: apachectl – page de manuel","Fichiers de configuration Apache:","/etc/httpd/conf/httpd.conf: est utilisé pour configurer Apache.\nDans le passé, il était divisé en trois fichiers. Ceux-ci peuvent maintenant être tous\nconcaténés dans un fichier.\nVoir la documentation en ligne Apache\npour le manuel complet.","/etc/httpd/conf.d/application.conf: Tous les fichiers de configuration\n    dans ce répertoire sont inclus lors du démarrage d’Apache. Utilisé pour stocker des configurations spécifiques à une application.","/ etc / sysconfig / httpd: Contient les variables d'environnement utilisées lors du démarrage d'Apache.","Paramètres de base: Changer la valeur par défaut pour NomServeur www. <votre-domaine.com>","Autoriser Apache à accéder au système de fichiers: Il est prudent de limiter Apache\nvue du système de fichiers uniquement aux répertoires nécessaires. Ceci est fait avec\nla déclaration de répertoire.\nCommencez par refuser l'accès à tout, puis accordez l'accès aux ressources nécessaires.\ndes répertoires.","Refuser complètement l'accès à la racine du système de fichiers ("/") par défaut:","Commencez par refuser, puis accordez les autorisations:","Options Aucune\n   AllowOverride None","Définissez l'emplacement par défaut des pages Web du système et autorisez l'accès: (Red Hat / Fedora / CentOS)","DocumentRoot "/ var / www / html"","Index des options FollowSymLinks\n   AllowOverride None\n   Ordre permettre, refuser\n   Autoriser de tous\n   Exiger tout accordé - Ceci est requis pour Apache 2.4+","Note: la directive "Exiger tout accordé"est nouveau depuis Apache httpd 2.4.3.","Le comportement hérité peut être obtenu avec la commande: sudo a2enmod access_compat\nAccorder l'accès au répertoire Web d'un utilisateur: public_html","Activation de Red Hat / Fedora Linux, Apache public_html accès au répertoire utilisateur:\nCela permettra aux utilisateurs de servir le contenu de leurs répertoires personnels dans le sous-répertoire "/maison/identifiant d'utilisateur/ public_html /"en accédant à l'URL http: //nom d'hôte/ ~ userid /","Fichier: /etc/httpd/conf/httpd.conf","LoadModule userdir_module modules / mod_userdir.so","...\n...","#UserDir disable - Ajoute un commentaire à cette ligne\n #\n    # Pour permettre aux requêtes à / ~ utilisateur / de servir le public_html de l'utilisateur\n    # répertoire, supprimez la ligne "UserDir disable" ci-dessus et supprimez le commentaire\n    # la ligne suivante à la place:\n UserDir public_html # Décommenter cette ligne","...\n...","AllowOverride FileInfo AuthConfig Limit\n    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec\n \n Ordre permettre, refuser\n        Autoriser de tous\n \n \n \n \n \n Ordre nier, permettre\n        Refuser à tous","Passer à un commentaire (ajouter "#" au début de la ligne) à partir de Fedora Core par défaut UserDir désactiver et assigner le répertoire public_html en tant que répertoire accessible du serveur Web.\n OU\n Attribuez à un seul utilisateur la possibilité spécifique de partager son répertoire:","Les index des options incluent FollowSymLinks\n   AllowOverride None\n   ordre autoriser, refuser\n   permettre à tous\n   Exiger tout accordé - Ceci est requis pour Apache 2.4+","Permet à l'utilisateur spécifique, "utilisateur1"seulement, la possibilité de servir le répertoire /maison/utilisateur1/ public_html /\nUtilisez également la commande SELinux pour définir le contexte de sécurité: setsebool httpd_enable_homedirs true","Autorisations de répertoire: Le démon du serveur Web Apache doit pouvoir lire votre site Web.\npages afin d’alimenter leur contenu sur le réseau. Utilisez un approprié\numask et protection de fichiers. Autoriser l'accès au répertoire Web: chmod ugo + rx -R public_html.\n Notez que le répertoire de l'utilisateur doit également avoir les autorisations appropriées car il est le parent de public_html.\n Autorisations par défaut sur le répertoire de l'utilisateur: ls -l / home\n drwx ------ 20 utilisateur1 utilisateur1 4096 5 mars 12:16 utilisateur1\n Autorisez l’accès au serveur Web à exploiter le répertoire parent: chmod ugo + x / home / user1\n d-wx - x - x 20 utilisateur1 utilisateur1 4096 5 mars 12:16 utilisateur1","On peut également utiliser des groupes pour contrôler les autorisations.\nVoir le tutoriel YoLinux sur la gestion des groupes.","Activer Apache d'Ubuntu public_html accès au répertoire utilisateur:\nUbuntu a découpé les directives du module chargeable Apache dans le répertoire\n/ etc / apache2 / mods-available /.\nPour activer un module Apache, générez des liens symboliques vers le répertoire / etc / apache2 / sites-enabled / en utilisant les commandes a2enmod/a2dismod activer / désactiver les modules Apache.","Exemple:","[root@node2]# a2enmod\n Une liste des modules disponibles est affichée. Entrez "userdir" comme module à activer.","Redémarrez Apache avec la commande suivante: /etc/init.d/apache2 force-reload","Remarque: Cela revient à générer manuellement les deux liens symboliques suivants:","ln -s /etc/apache2/mods-available/userdir.conf /etc/apache2/mods-enabled/userdir.conf","ln -s /etc/apache2/mods-available/userdir.load /etc/apache2/mods-enabled/userdir.load","Page de manuel: a2enmod / a2dismod","[Potential Pitfall]: Si le serveur Web Apache ne peut pas accéder au fichier, vous obtiendrez le message d'erreur "403 interdit" "Vous n'avez pas la permission d'accéder nom de fichier sur ce serveur. "\nNotez que les autorisations par défaut sur un répertoire utilisateur lors de sa création avec "useradd" sont les suivantes:","drwx ------ 3 userx userx\nVous devez autoriser le serveur Web exécuté en tant qu'utilisateur "apache" à accéder au répertoire s'il doit afficher les pages qu'il contient.","Correction avec la commande: chmod ugo + rx / home / userx","drwxr-xr-x 3 userx userx","Ordre de fonctionnement du fichier de configuration:\nLes directives de configuration sont affectées dans l'ordre dans lequel elles sont lues.\nCeci est important sinon un comportement inattendu peut en résulter.","Les fichiers de configuration Red Hat / CentOS / Fedora / AWS sont lus dans l'ordre suivant:","/etc/httpd/conf/httpd.conf\n lit les fichiers d'inclusion "Inclure conf.modules.d / *. Conf" et "IncludeOptional conf.d / *. Conf"","/etc/httpd/conf.modules/*.conf","/etc/httpd/conf.d/*.conf (généralement des définitions de domaine virtuel pour divers sites Web)\n Les fichiers de configuration sont lus dans l'ordre alphabétique.","Les fichiers de configuration Ubuntu / Debian sont lus dans l'ordre suivant:","/etc/apache2/apache2.conf\n lit les fichiers d'inclusion","/etc/apache2/mods-enabled/*.load","/etc/apache2/mods-enabled/*.conf","/etc/apache2/conf-enabled/*.conf","/etc/apache2/sites-enabled/*.conf (généralement des définitions de domaine virtuel pour divers sites Web)\n Les fichiers de configuration sont lus dans l'ordre alphabétique.","La valeur par défaut du serveur pour l'accès à l'aide de l'adresse IP est généralement le premier domaine défini dans "conf.d / *. conf"tel que défini par l'ordre alphabétique.\nC'est également ce que voient les pirates sur le site lors de l'analyse du réseau via des adresses IP.\nC'est souvent une malédiction d'avoir un domaine commençant par la lettre "a" car des serveurs mal configurés dirigeront tout le trafic des hackers vers ce site.\nPar conséquent, il est recommandé de générer une configuration par défaut pour l’accès aux adresses IP.","Fichier: /etc/httpd/conf.d/1st.conf (Ubuntu: /etc/apache2/sites-enabled/1st.conf)","DirectoryIndex index.html","NomServeur www4.defaultdomain.com\n    DocumentRoot / srv / www / default / html\n    ErrorLog /var/log/httpd/1st-error.log\n    TransferLog /var/log/httpd/1st-access.log\n \n Options FollowSymLinks\n        AllowOverride None\n \n \n \n \n \n Options FollowSymLinks MultiViews Inclut\n        IndexOptions SuppressLastModified SuppressDescription\n        AllowOverride All\n        Ordre permettre, refuser\n        permettre à tous","Page Web par défaut: /srv/www/default/html/index.html devrait être une simple page statique sans accès à la base de données ou au CMS.\nAprès tout, les seuls qui se retrouvent ici sont les pirates.\nContextes de sécurité SELinux:\nFedora Core 3 et Red Hat Enterprise Linux 4 ont introduit les règles de sécurité et les étiquettes de contexte SELinux (Security Enhanced Linux).\n \nPour afficher les étiquettes de contexte de sécurité appliquées à vos fichiers de page Web, utilisez la commande\ncommander: ls -Z\nLe système active / désactive les politiques SELinux dans le fichier. / etc / selinux / config\n SELinux peut être désactivé en définissant la directive SELINUX. (Ensuite, redémarrez le système):","SELINUX = désactivé","ou en utilisant la commande setenforce 0 désactiver temporairement SELinux jusqu'au prochain redémarrage.","Lorsque vous utilisez les fonctions de sécurité de SELinux,\nles étiquettes de contexte de sécurité doivent être ajoutées pour qu'Apache puisse lire vos fichiers.\nL'étiquette de contexte de sécurité par défaut utilisée est héritée du répertoire des fichiers nouvellement créés. Donc une copie (cp) doit être utilisé et non un mouvement (mv)\nlors du placement de fichiers dans le répertoire de contenu. Déplacer ne crée pas un nouveau\nfichier et donc le fichier ne reçoit pas le contexte de sécurité du répertoire\nétiquette.\nLes étiquettes de contexte utilisées pour les répertoires Apache par défaut peuvent être\nvu\navec la commande: ls -Z / var / www\n Les répertoires Web des utilisateurs (c'est-à-dire public_html) devrait\nêtre défini avec l'étiquette de contexte appropriée (httpd_sys_content_t).\n \nAttribuez un contexte de sécurité pour les pages Web: chcon -R -h -t httpd_sys_content_t / home /utilisateur1/ public_html\n Options:","-R: récursif. Fichiers et répertoires du répertoire en cours et de tous les sous-répertoires.","-h: affecte les liens symboliques.","-t: spécifie le type de contexte de sécurité.","Utilisez les contextes de sécurité suivants:","Type de contexte\nLa description","httpd_sys_content_t\nUtilisé pour le contenu Web statique. c'est-à-dire des pages Web HTML.","httpd_sys_script_exec_t\nUtiliser pour les scripts CGI exécutables ou les exécutables binaires.","httpd_sys_script_rw_t\nCGI est autorisé à modifier / supprimer des fichiers de ce contexte.","httpd_sys_script_ra_t\nCGI est autorisé à lire ou à annexer des fichiers de ce contexte.","httpd_sys_script_ro_t\nCGI est autorisé à lire les fichiers et les répertoires de ce contexte.","Définissez les options suivantes: setsebool httpd-option vrai\n (ou réglé sur faux)","Politique\nLa description","httpd_enable_cgi \nAutoriser le support de httpd cgi.","httpd_enable_homedirs \nAutoriser httpd à lire les répertoires personnels.","httpd_ssi_exec \nAutorisez httpd à exécuter les exécutables SSI dans le même domaine que les scripts CGI du système.","Puis redémarrez Apache:","Red Hat / Fedora / Suse et tous les systèmes Linux basés sur un script d'initialisation System V: /etc/init.d/httpd restart","Red Hat / Fedora: service httpd restart","Les valeurs booléennes SE par défaut sont spécifiées dans le fichier: / etc / selinux / target / booleans","Pour plus d’informations sur SELinux, reportez-vous au tutoriel sur l’administration de systèmes YoLinux.","Hôtes Virtuels:\nLe serveur Web Apache permet de configurer un seul ordinateur pour représenter plusieurs sites Web comme s'ils se trouvaient sur des hôtes distincts.\nDeux méthodes sont disponibles et nous décrivons la configuration de chacune. Choisissez une méthode pour votre domaine:","Nom d'hôte virtuel: (le plus commun)\n    Un seul ordinateur avec une seule adresse IP prenant en charge plusieurs domaines Web.\n    Le navigateur Web utilisant le protocole http identifie le domaine en cours d’adresse.","Hôte virtuel basé sur IP:\n    Les hôtes virtuels peuvent être configurés comme un seul ordinateur multi-hébergé avec plusieurs adresses IP sur une seule carte réseau, chaque adresse IP représentant un domaine Web différent.\n    Cela a l'apparence d'un domaine Web pris en charge par un ordinateur dédié car il possède une adresse IP dédiée.","Configuration d'un hôte virtuel "basé sur le nom":\nUne configuration d'hôte virtuel permet d'héberger plusieurs domaines de site Web sur un serveur.\n(Cela n'est pas nécessaire pour un serveur Linux dédié hébergeant un seul site Web.)","NameVirtualHost XXX.XXX.XXX.XXX","<VirtualHost XXX.XXX.XXX.XXX>Nom du serveur www.votre-domaine.com - CNAME (alias DNS www) spécifié dans (/ var / named / ...)\n ServerAlias votre-domaine.com - Autorise les requêtes sans le préfixe "www".\n ServerAdmin utilisateur1@votre-domaine.com\n \n \n \n DocumentRoot / home /utilisateur1/ public_htmlLogs ErrorLog /votre-domaine.com-error_log\n   Journaux TransferLog /votre-domaine.com-access_log","Remarques:","Vous pouvez spécifier plusieurs adresses IP. c'est à dire si web\nserveur est également utilisé comme pare-feu / passerelle et vous avez un\nadresse IP Internet externe ainsi qu’une adresse IP de réseau local.","NameVirtualHost XXX.XXX.XXX.XXX","NameVirtualHost 192.168.XXX.XXX","<VirtualHost XXX.XXX.XXX.XXX 192.168.XXX.XXX>\n   ...\n   ..","Reportez-vous au didacticiel YoLinux pour configurer un routeur / pare-feu réseau avec iptables et NAT.","Utilisez votre adresse IP pour XXX.XXX.XXX.XXX, nom de domaine et adresse e-mail actuels.\n On peut utiliser les vues DNS pour fournir différents résultats DNS du réseau local.","L'adresse IP de l'hôte peut être référencée de manière générique pour fonctionner sur toutes les cartes réseau:","<VirtualHost *: 80>\n   ...\n   ..","Remarque Cette méthode est recommandée pour les hébergements basés sur NAT, tels qu'Amazon Web Services (AWS) EC2.","Notez que je configure Apache pour les deux demandes http: // www.nom de domaine.com et http: //nom de domaine.com.","Une fois les hôtes virtuels configurés, votre système par défaut\n    domaine (/ var / www / html) cessera de fonctionner.\n    Votre domaine par défaut doit maintenant être configuré en tant que domaine virtuel.","... Cette partie reste la même\n \n \n \n ..","# Valeur par défaut lorsque aucun nom de domaine n’est donné (accès par adresse IP, par exemple)","<VirtualHost *: 80>\n   ServerAdmin utilisateur1@votre-domaine.com\n \n \n \n DocumentRoot / var / www / html\n   ErrorLog logs / error_log\n   TransferLog logs / access_log","# Ajoutez une définition VirtualHost pour votre domaine qui était autrefois la valeur par défaut du système.","<VirtualHost XXX.XXX.XXX.XXX>Nom du serveur www.votre-domaine.com\n \n \n \n ServerAlias votre-domaine.com\n \n \n \n ServerAdmin utilisateur1@votre-domaine.com\n \n \n \n DocumentRoot / var / www / html\n   ErrorLog logs / error_log\n   TransferLog logs / access_log","...\n   ..","Transfert vers une URL primaire. Il est préférable d'éviter l'apparition de contenu Web dupliqué à partir de deux URL telles que http: // www.ton domaine.com et\n http: //ton domaine.com. Fournissez une "redirection" Apache de redirection.","<VirtualHost XXX.XXX.XXX.XXX>\n   Nom du serveur www.votre-domaine.com - Notez qu'aucun alias n'est répertorié\n \n \n \n ...\n   ...","# Ajouter une définition VirtualHost à transférer à votre URL principale","<VirtualHost XXX.XXX.XXX.XXX>\n   Nom du serveur votre-domaine.com\n \n \n \n ServerAlias autre-domaine.com\n \n \n \n ServerAlias ​​www.autre-domaine.com\n \n \n \n Rediriger permanent / http: // www.votre-domaine.com.com /","...\n   ..\n \nRemarque:","Plus d'exemples d'hôte virtuel.","Lorsqu’ils spécifient plus de domaines, ils peuvent tous utiliser la même adresse IP ou certains / tous\npeuvent utiliser leur propre adresse IP unique.\nSpécifiez un "NameVirtualHost" pour chaque adresse IP.","Une fois les fichiers de configuration Apache modifiés, redémarrez le démon httpd:\n /etc/rc.d/init.d/httpd restart (Chapeau rouge) ou /etc/init.d/apache2 restart (Ubuntu / Debian)","Configuration du domaine virtuel Apache avec Ubuntu:\nUbuntu sépare chaque domaine virtuel dans un fichier de configuration séparé\ntenue dans l'annuaire / etc / apache2 / sites-available /.\nLorsque le domaine du site doit devenir actif, un lien symbolique est créé vers le répertoire. / etc / apache2 / sites-enabled /.\nExemple: / etc / apache2 / sites-available / supercorp","NomServeur supercorp.com\n        ServerAlias ​​www.supercorp.com\n        Webmaster ServerAdmin @ localhost","        DocumentRoot / home / supercorp / public_html / home\n \n Options FollowSymLinks\n                AllowOverride None\n \n \n \n \n \n Options Index FollowSymLinks MultiViews\n                IndexOptions SuppressLastModified SuppressDescription\n                AllowOverride All\n                Ordre permettre, refuser\n                permettre à tous\n                Exiger tout accordé - Ceci est requis pour Apache 2.4+","ScriptAlias ​​/ cgi-bin / / home / supercorp / cgi-bin /\n \n AllowOverride None\n                Options + ExecCGI -MultiViews + SymLinksIfOwnerMatch\n                Ordre permettre, refuser\n                Autoriser de tous","ErrorLog /var/log/apache2/supercorp.com-error.log","        # Les valeurs possibles incluent: debug, info, notice, avertir, erreur,\n        # crit, alerte, émergent.\n        LogLevel avertir\n        CustomLog /var/log/apache2/supercorp.com-access.log combinés\n        ServerSignature On","Activer le domaine:","Créer un lien symbolique:","Manuellement: ln -s / etc / apache2 / sites-disponibles / supercorp / etc / apache2 / sites-enabled / supercorp\n \nUtiliser les scripts Ubuntu a2ensite/a2dissite. Tapez commande et il vous demandera quel site vous souhaitez activer ou désactiver.","Redémarrez Apache:","apachectl gracieux\n ou\n \n/etc/init.d/apache2 restart\n ou\n \n/etc/init.d/apache2 reload","Notez également que les modules Apache peuvent également être activés / désactivés avec des scripts a2enmod / a2dismod.","Pages de manuel:","Configuration d'un hôte virtuel "basé sur IP":\nOn peut attribuer plusieurs adresses IP à une seule interface réseau.\nVoir le tutoriel de mise en réseau YoLinux: Aliasing de réseau.\nChaque adresse IP peut alors être son propre serveur virtuel et son propre domaine.\nL’inconvénient de la méthode d’hôte virtuel "basée sur IP" est que vous devez posséder\nadresses IP multiples / supplémentaires. Cela coûte généralement plus cher.\nLa méthode d'hébergement virtuel basée sur le nom standard ci-dessus est plus populaire pour cette raison.","NameVirtualHost * - Indique toutes les adresses IP","<VirtualHost *>\n   ServerAdmin utilisateur0@default-domain.com\n \n \n \n DocumentRoot / home /utilisateur0/ public_html","<VirtualHost XXX.XXX.XXX.101>\n   ServerAdmin utilisateur1@domain-1.com\n \n \n \n DocumentRoot / home /utilisateur1/ public_html","<VirtualHost XXX.XXX.XXX.102>\n   ServerAdmin utilisateur1@domain-2.com\n \n \n \n DocumentRoot / home /utilisateur2/ public_html","Le défaut bloc sera utilisé par défaut\npour toutes les adresses IP non spécifiées explicitement.\nCette adresse IP par défaut (*) peut ne pas fonctionner pour https URL.\nCGI: (interface de passerelle commune)\nCGI est un programme exécutable qui génère dynamiquement une page Web en écrivant\nà stdout. CGI est autorisé par l'une des deux directives de fichier de configuration suivantes:\nLes fichiers de programme exécutables doivent avoir les privilèges d’exécution, exécutables par le\npropriétaire du processus (Red Hat 7 + / Fedora Core: apache.\nUtilisation plus ancienne personne) sous lequel le démon httpd est exécuté.\nConfiguration de CGI pour une exécution avec des privilèges utilisateur:\nLa fonctionnalité suEXEC offre aux utilisateurs Apache la possibilité d’exécuter CGI et SSI.\nprogrammes sous des identifiants d'utilisateur différents de ceux de l'appelant\nserveur Web. Normalement, lorsqu'un programme CGI ou SSI s'exécute, il s'exécute en tant que\nle même utilisateur qui exécute le serveur Web.","NameVirtualHost XXX.XXX.XXX.XXX","<VirtualHost XXX.XXX.XXX.XXX>\n   Nom du serveur noeud1.votre-domaine.com - Permet les demandes par nom de domaine sans le préfixe "www".\n ServerAlias votre-domaine.com www.votre-domaine.com - CNAME (alias www) spécifié dans le fichier de configuration Bind (/ var / named / ...)\n ServerAdmin utilisateur1@votre-domaine.com\n \n \n \n DocumentRoot / home /utilisateur1/ public_html /votre-domaine.com\n \n \n \n Logs ErrorLog /votre-domaine.com-error_log\n   Journaux TransferLog /votre-domaine.com-access_log","   SuexecUserGroup utilisateur1 utilisateur1\n \n \n \n <Répertoire / home /utilisateur1/ public_html /votre-domaine.com/>\n      Options + ExecCGI + Index\n      AddHandler cgi-script .cgi","Pages d'erreur:\nVous pouvez spécifier vos propres pages Web au lieu des pages d'erreur Apache par défaut:","ErrorDocument 404 /Error404-missing.html\nCréer le fichier Error404-missing.html dans votre répertoire "DocumentRoot".","Traitez toutes les erreurs avec une page de transfert:","ErrorDocument 400 /error.shtml\nErrorDocument 401 /error.shtml\nErrorDocument 403 /error.shtml\nErrorDocument 404 /error.shtml\nErrorDocument 500 /error.shtml","Exemple de fichier error.shtml (dans votre répertoire "DocumentRoot").","Page non trouvée!","PHP:\nSi les RPM appropriés php, perl et httpd sont installés,\nla configuration et les modules Red Hat Apache par défaut prend en charge PHP\ncontenu.\nPaquets RPM (RHEL):","php: langage de script HTML","php-pear: PEAR est un framework et un système de distribution de composants PHP réutilisables.","php-mysql: support de la base de données MySQL.","php-ldap: support du protocole LDAP (Lightweight Directory Access Protocol)","Configuration Apache:","Ajoutez php default page index.php au fichier de configuration apache: /etc/httpd/conf/httpd.conf","...","DirectoryIndex index.html index.htm index.php","...","Fichier de configuration PHP:","AWS – PHP 5.6: /etc/php-5.6.d/php.ini\nRHEL4 – PHP 4.3: /etc/php.ini\nUbuntu 18.04: /etc/php/7.2/apache2/php.ini\nUbuntu 6.06 / 6.11: /etc/php5/apache2/php.ini","[PHP]","moteur = allumé\n...\n...\ndisplay_errors = Off\ninclude_path = ".: / php / includes"\n...\n...\nmemory_limit = 32M; La valeur par défaut est généralement de 8 Mo, ce qui est trop faible.\n...\n...","[MySQL]\n...\n...\nmysql.default_host = super-serveur ; Nom d'hôte de l'ordinateur\nmysql.default_user = Dbuser","...","Petite partie du fichier montré.","Notez que les modifications ne prendront effet qu'après le redémarrage du démon de serveur Web Apache.","Testez vos capacités PHP avec ce fichier de test: /maison/utilisateur1/public_html/test.php","<? phpphpinfo ();?>\nOU (ancien format)","Tester: http: // localhost / ~utilisateur1/test.php\nPour plus d'informations, consultez la liste des sites Web d'informations PHP de YoLinux.","Exécuter plusieurs instances de httpd:\nLe démon du serveur Web Apache (httpd) peut être démarré avec la commande\noption de ligne "-f" pour spécifier un fichier de configuration unique pour chaque instance.\nConfigurez une adresse IP unique pour chaque instance d'Apache.\nReportez-vous au didacticiel de mise en réseau YoLinux pour spécifier plusieurs adresses IP pour une même carte réseau.\nUtilisez la directive du fichier de configuration Apache Écoute XXX.XXX.XXX.XXX, où l'adresse IP est unique pour chaque instance d'Apache.","Apache Man Pages:","httpd – Apache Hypertext Transfer Protocol Server","apachectl – Interface de contrôle du serveur HTTP Apache","ab – Outil d'analyse comparative de serveur HTTP Apache","htdigest – gère les fichiers utilisateur pour l'authentification Digest","htpasswd – Gère les fichiers utilisateur pour l'authentification de base","logresolve – Résoudre les adresses IP en noms d'hôte dans les fichiers journaux Apache","rotatelogs – Programme de journalisation en pipeline pour faire pivoter les journaux Apache","Consultez également le manuel de configuration Apache en ligne local: http: // localhost / manual /.","Configuration de l'interface graphique Apache Red Hat / Fedora Core:\nOutil de configuration de l'interface graphique:","Red Hat EL 4/5, Fedora 2-10: / usr / bin / system-config-httpd","Red Hat 8/9, Fedora Core 1: / usr / bin / redhat-config-httpd","Ajout de la connexion au site Web et de la protection par mot de passe: Consultez le didacticiel YoLinux sur la protection par mot de passe du site Web.","Analyse du fichier journal:","L'analyse des fichiers de journal Web Apache ne fournira pas de statistiques significatives\nà moins qu’ils soient représentés graphiquement ou présentés de manière facile à lire. Le suivant\npaquets à un bon travail de présentation des statistiques du site.","Services de statistiques de site Web:","Charger en charge votre serveur:","Liens Apache:","CgiWrap – Le wrapper setuid qui permet aux utilisateurs d'installer et d'exécuter leurs propres scripts cgi exécutés sous leur propre ID utilisateur","WWWThreads.org – Produit commercial – Logiciel avancé de téléconférence Web","Configuration de https (mod_ssl):","Analyse du fichier journal avec Analog:","Installation:","Red Hat / Fedora: miam installer analogique\nUbuntu / Debian: apt-get install analog","Les packages d'installation sont également disponibles sur la page de téléchargements analogiques.\nFichier de configuration: /etc/analog.cfg","LOGFILE / var / log / httpd /votre-domaine.com-access_log * http: // www.votre-domaine.com\nUNCOMPRESS * .gz, *. Z "gzip -cd"\nSUBTYPE * .gz, *. Z\n#\nOUTFILE / home /utilisateur1/public_html/analog/Report.html\n#\nNOM D'HOTE "VotreDomaine.com"\nHOSTURL http: // www.votre-domaine.com","....\n...\n..","Pages REQINCLUDE # Demander les statistiques de la page uniquement","TOUT SUR\nLANGUE US-ANGLAIS","Vous pouvez afficher les paramètres utilisés avec votre fichier de configuration (également utiles pour le débogage): réglages analogiques\nRendre les images analogiques disponibles pour le rapport des utilisateurs: ln -s / usr / share / analogique / images / * / home /utilisateur1/ public_html / analogique","Emplacement du fichier journal:","Red Hat / Fedora: / var / log / httpd /\nUbuntu / Debian: / var / log / apache2 /","La directive "TOUT SUR"active tous les éléments suivants:","Directive analogique\nLa description","Tous les mois \n une ligne par mois","HEBDOMADAIRE SUR \n une ligne par semaine","DAILYREP ON \n une ligne par jour","DAILYSUM ON \n une ligne pour chaque jour de la semaine","HOURLYREP ON \n une ligne pour chaque heure de la journée","GENERAL ON \n le résumé général en haut","DEMANDE SUR \n quels fichiers ont été demandés","ÉCHEC SUR \n quels fichiers n'ont pas été trouvés","ANNUAIRE SUR \n Rapport d'annuaire","HÔTE SUR \n quels ordinateurs ont demandé des fichiers","ORGANISATION SUR \n de quelles organisations ils venaient","DOMAINE SUR \n dans quels pays ils étaient","REFERER SUR \n où les gens ont suivi les liens de","FAILREF ON \n où les gens ont suivi des liens brisés de","RECHERCHE SUR \n les phrases et les mots qu'ils ont utilisés …","MOT DE RECHERCHE SUR \n … pour vous trouver parmi les moteurs de recherche","NAVIGATEUR SUR \n quels types de navigateurs les gens utilisaient","OSREP ON \n et quels systèmes d'exploitation","FILETYPE ON \n types de fichiers demandés","TAILLE SUR \n taille des fichiers demandés","ÉTAT SUR \n nombre de chaque type de succès et d'échec","Cron job pour gérer plusieurs domaines: /etc/cron.daily/analog","#! / bin / sh\ncp /opt/etc/analog-domain1.com.cfg /etc/analog.cfg\n/ usr / bin / analogique\ncp /opt/etc/analog-domain2.com.cfg /etc/analog.cfg\n/ usr / bin / analogique","...","Liens:","Mesure des performances du serveur Web:","Voir le didacticiel de référence du serveur Web YoLinux.com.","Configuration du compte utilisateur FTPd et FTP:","De nombreux programmes FTP existent. Cet exemple couvre le populaire\n      vsftpd (Red Hat default 9.0, Fedora Core, Suse) et\n      wu-ftpd (Washington\nUniversity) qui est livré en standard avec RedHat (le dernier livré avec\nRedHat 8.0 mais peut être installé sur n’importe quel système Linux).\n(RPM: wu-ftpd)\nIl existe d'autres programmes FTP, y compris proFtpd\n(prend en charge l’authentification LDAP, les directives de type Apache, les fonctionnalités complètes\nlogiciel serveur ftp),\n      bftpd, pure-ftpd (BSD libre et en option sur Suse), etc …","Pour les environnements hostiles, configurez un environnement chrooté pour sftp connexion cryptée et la rssh shell restreint pour OpenSSH.\nVoir le tutoriel sur la sécurité Internet de YoLinux.com pour Linux sftp et rssh configuration","Voir aussi la configuration sftp chrootée préférée pour OpenSSH 4.9+","FTPd et SELinux: pour autoriser l'accès au démon FTPd et l'accès FTP aux répertoires de base des utilisateurs:","Suivre avec la commande service vsftpd redémarrer\nTutoriels de configuration FTPd:","Configuration du compte utilisateur vsFTPd et FTP:","Le serveur ftp vsFTPd a été mis à disposition pour la première fois dans Red Hat 9.0. Il a également été adopté par Suse et OpenBSD.\nC'est actuellement le démon FTP recommandé pour une utilisation sur des serveurs FTP.","Activer vsftpd:","Red Hat / Fedora Core / CentOS:\nVsFTPd est un service autonome et par l’installation par défaut de Fedora Core,\nnon contrôlé par xinetd comme l’installation par défaut de wu-ftpd.\n Commencez donc le service: service vsftpd start (ou: /etc/init.d/vsftpd start)\n Configurez vsftpd pour qu'il démarre au démarrage du système: chkconfig --add vsftpd","SuSE: Par défaut, vsftpd est un service contrôlé par xinetd. Autoriser\nServices de serveur FTP éditer le fichier /etc/xinetd.d/vsftpd et changer:\n désactiver = oui\n à:\n désactiver = non\n Redémarrez le démon xinetd: /etc/init.d/xinetd restart\n Remarque: vsftpd peut également être exécuté en tant que service autonome pour obtenir un résultat plus rapide.\nTemps de réponse.","Ubuntu (dapper / hardy / natty) / Debian:","Installer: apt-get install vsftpd\n \nVsFTPd est un service autonome.","Début: /etc/init.d/vsftpd start\n \nArrêtez: /etc/init.d/vsftpd stop\n \nRedémarrer: /etc/init.d/vsftpd restart\n (Utilisez cette commande après avoir modifié le fichier de configuration)","Pour plus d’informations sur le démarrage / l’arrêt / la configuration des services Linux, voir la\n      Tutoriel YoLinux sur le processus d'initialisation Linux et l'activation du service.","Fichiers de configuration:","Fichier de configuration vsFTPd:","Fedora Core / Red Hat: /etc/vsftpd/vsftpd.conf\n \nS.u.S.e. / Ubuntu (dapper / hardy / natty) / Debian: /etc/vsftpd.conf","Par défaut pour Fedora Core 3:","anonymous_enable = OUI - FTP anonyme autorisé par défaut si vous commentez ceci.\n                                  Répertoire par défaut utilisé: / var / ftp","local_enable = YES - Un-comment this to allow local users to log in with FTP.\n Must also set SELinux boolean: setsebool -P ftp_home_dir 1","write_enable=YES - Un-comment this to enable any form of FTP write or upload command.","local_umask=022 - Default is 077. Umask 022 is used by most other ftpd's.","#anon_upload_enable=YES - Un-comment to allow the anonymous FTP user to upload files. \n                                  Requires the above global write enabled. Directory must also be writable by user.","#anon_mkdir_write_enable=YES - Un-comment this to allow the anonymous FTP user to be able to create new directories.","dirmessage_enable=YES - Activate directory messages. \n                                  Messages given to remote users when they enter certain directories","xferlog_enable=YES - Activate logging of uploads/downloads.","connect_from_port_20=YES - PORT transfer connections originate from port 20 (ftp-data)","#chown_uploads=YES - Uploaded anonymous files set to a specified owner. (not root)","#chown_username=quiconque","#xferlog_file=/var/log/vsftpd.log - Specify logfile explicitly. Default is /var/log/vsftpd.log","xferlog_std_format=YES - Output to log file in standard ftpd xferlog format","#idle_session_timeout=600 - Set timing out for an idle session.","#data_connection_timeout=120 - Set timing out for an idle data connection. Port 20","#nopriv_user=ftpsecure - Run ftp server as an isolated and unprivileged user.","# Enable this and the server will recognize asynchronous ABOR requests. ne pas\n# recommended for security (the code is non-trivial). Not enabling it, may confuse older FTP clients.\n#async_abor_enable=YES","#ascii_upload_enable=YES - Improve performance by disabling ASCII mode. \n                                  Disables command "ascii" and "SIZE /big/file".","#ascii_download_enable=YES","#ftpd_banner=Welcome to YoLinux - Customize the login banner string.","#deny_email_enable=YES - Disallow specified anonymous e-mail addresses. Used to combat certain DDoS attacks.","#banned_email_file=/etc/vsftpd.banned_emails (Ubuntu default. Red Hat: /etc/vsftpd/banned_emails)","#chroot_list_enable=YES - List users chroot()'d to their home directory. If "NO", list users not chroot()'d.","#chroot_list_file=/etc/vsftpd.chroot_list (Ubuntu default. Red Hat: /etc/vsftpd/chroot_list)","ls_recurse_enable=YES - Allow "ls -R" recursive directory list. Default is disabled.","pam_service_name=vsftpd","userlist_enable=YES - (Ubuntu Default) Deny users specified in file /etc/vsftpd.user_list\n If "userlist_enable=NO" then allow specified users.\n Red Hat: /etc/vsftpd/user_list\n#deny_email_enable=YES - Disallow specified anonymous e-mail addresses. Used to combat certain DDoS attacks.","listen=YES - Enable for standalone mode as opposed to an xinetd service.\n Must set SELinux boolean: setsebool -P ftpd_is_daemon 1","tcp_wrappers=YES\n \nRestart the FTP service if the config file is changed: service vsftpd restart (or: /etc/init.d/vsftpd restart)","[Potential Pitfall]: vsftp does NOT support comments on the same line as a directive. i.e.:","directive=XXX # comment\n \n vsftp.conf man page","Specify list of local users chrooted to their home directories:","Red Hat: /etc/vsftpd/vsftpd/chroot_list\nUbuntu: /etc/vsftpd/vsftpd.chroot_list","(Requires: chroot_list_enable=NO)","user1user2...user-n\n \nSi userlist_enable=YES, then specify users not to be chroot'd..","Specify list of users:","Red Hat: /etc/vsftpd/user_list\nUbuntu: /etc/vsftpd.user_list","(Deny list of users requires: userlist_enable=YES)\n Also see PAM configuration below.\nracinepoubelledémonadmlpsynchroniserfermerarrêt...\nSi userlist_enable=NO, then specify valid users.","PAM configuration file Fedora Core 3: /etc/pam.d/vsftpd","#%PAM-1.0\nauth required pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed\nauth required pam_stack.so service=system-auth\nauth required pam_shells.so\naccount required pam_stack.so service=system-auth\nsession required pam_stack.so service=system-auth\n \nThis causes PAM to check /etc/vsftpd.ftpusers for users who are denied.\nThis duplicates /etc/vsftpd.user_list. Speciy user in both files as PAM is independent of vsftpd configuration.\n    \n    PAM authentication configuration file: ftpusers","Red Hat: /etc/vsftpd/ftpusers\nUbuntu: /etc/vsftpd.ftpusers","racine\npoubelle\ndémon\nadm\nlp\nsynchroniser\nfermer\narrêt\n...\n...\n...\nuser6 - Users to deny\nuser8","...\n...","Logrotate configuration file: /etc/logrotate.d/vsftpd.log","/var/log/xferlog \n    # ftpd doesn't handle SIGHUP properly\n    nocompress\n    missingok","Sample vsFTPd configurations:","Anonymous download FTP server configuration: /etc/vsftpd/vsftpd.conf","# Access rights\nanonymous_enable=YES - Turn on anonymous FTP","chown_uploads=YES - Uploaded files owned by an assigned user","chown_username=ftp - Uploaded files owned by this assigned user","local_enable=NO\nwrite_enable=NO - No upload of files system changes allowed","anon_upload_enable=NO\nanon_mkdir_write_enable=NO\nanon_other_write_enable=NO\n# Security\nanon_world_readable_only=YES\nconnect_from_port_20=YES\nforce_dot_files=NO\nguest_enable=NO\nhide_ids=YES\npasv_min_port=50000\npasv_max_port=60000\n# Features\nxferlog_enable=YES\nls_recurse_enable=NO\nascii_download_enable=NO\nasync_abor_enable=YES\n# Performance\none_process_model=NO\nidle_session_timeout=120\ndata_connection_timeout=300\naccept_timeout=60\nconnect_timeout=60\nmax_per_ip=4\nanon_max_rate=50000","pam_service_name=vsftpd\nuserlist_enable=YES\n#enable for standalone mode\nlisten=YES\ntcp_wrappers=YES","Anonymous logins use the login name "anonymous" and then the user supplies their\nemail address as a password. Any password will be accepted.\nUsed to allow the public to download files from an ftp server.\nGenerally, no upload is permitted.","Web hosting configuration: /etc/vsftpd/vsftpd.conf","# Access rights\nanonymous_enable=NO\nlocal_enable=YES - Allow users to ftp to their home directories","write_enable=YES - Allow users to STOR, DELE, RNFR, RNTO, MKD, RMD, APPE and SITE","local_umask=022\n# Security\nconnect_from_port_20=YES\nforce_dot_files=NO\nguest_enable=NO - Don't remap user name","ftpd_banner=Welcome to Super Duper Hosting - Customize the login banner string.","chroot_local_user=YES - Limit user to browse their own directory only","chroot_list_enable=YES - Enable list of system / power users","chroot_list_file=/etc/vsftpd.chroot_list - Actual list of system / power users","hide_ids=YES\npasv_min_port=50000\npasv_max_port=60000\n# Features\nxferlog_enable=YES\nls_recurse_enable=NO\nascii_download_enable=NO\nasync_abor_enable=YES\ndirmessage_enable=YES - Message greeting held in file .message or specify with message_file=...","# Performance\none_process_model=NO\nidle_session_timeout=120\ndata_connection_timeout=300\naccept_timeout=60\nconnect_timeout=60\nmax_per_ip=4\n#\npam_service_name=vsftpd\nuserlist_enable=YES\n#enable for standalone mode\nlisten=YES\ntcp_wrappers=YES","Specify list of local users chrooted to their home directories: /etc/vsftpd/vsftpd.chroot_list\n Ubuntu typically: /etc/vsftpd.chroot_list\n (Requires: chroot_list_enable=NO)","user1user2...user-n","Si userlist_enable=YES, then specify users not to be chroot'd..","[Potential Pitfall]:\nMisspelling a directive will cause vsftpd to fail with little warning.","Fichier: .message","A NOTE TO USERS UPLOADING FILES:\n   File names may consist of letters (a-z, A-Z), numbers (0-9),\n   an under score ("_"), dash ("-") or period (".") only.\n   The file name may not begin with a period or dash.","Test if vsftp is listening: netstat -a | grep ftp","[root]# netstat -a | grep ftptcp 0 0 *:ftp *:* LISTEN\nLinks:\nWU-FTPd and FTP user account configuration:","The wu-ftpd FTP server can be downloaded (binary or source) from\nhttp://wu-ftpd.therockgarden.ca/ (at one time: http://wu-ftpd.org).","There are three kinds of FTP logins that wu-ftpd provides:","anonymous FTP – one logs in with the username 'anonymous'","real FTP – log in with a real username and password and\nhas access to the entire disk structure.","guest FTP – one logs in with a real user name and\npassword, but the user is chroot'ed to his home directory and cannot\nescape from it.\nThey are constrained to their home directory which also means that they don't\nhave access to /bin/ls and other commands on the server.\nThus a local minimalist environment must be set up.","This tutorial covers "guest" FTP configuration.","The file /etc/ftpaccess controls the configuration of ftp.","# Don't allow system accounts to log in over ftp\n   deny-uid %-99 %65534-\n   deny-gid %-99 %65534-","   class all real,guest *\n   email webmaster@your-domain.com\n \n \n \n loginfails 5","   readme README* login\n   readme README* cwd=*\n   message /welcome.msg login\n   message .message cwd=*","   compress yes all\n   tar yes all\n   chmod no guest,anonymous\n   delete no anonymous # delete files permission?\n   overwrite no anonymous # overwrite files permission?\n   rename no anonymous # rename files permission?\n   delete yes guest # delete files permission?\n   overwrite yes guest # overwrite files permission?\n   rename yes guest # rename files permission?\n   umask no guest # umask permission?","   log transfers anonymous,real inbound,outbound","   shutdown /etc/shutmsg","   passwd-check rfc822 warn","   # Must also create message file /etc/pathmsg of the guest directory.\n   # In this case it refers to /home/user1/public_html/etc/pathmsg.\n   path-filter guest /etc/pathmsg ^[-A-Za-z0-9_.]*$ ^. ^-\n   limit all 2\n   noretrieve passwd .htaccess core - Do not allow users to download files of these names\n \n \n \n limit-time * 20\n   byte-limit in 5000 - Limit file size\n \n \n \n guestuser * - System user default categorized as a "guest". A "real" user can roam the system. Guestuser is chrooted.\n \n \n \n realgroup regularuserx regularusery - Assign real user privileges to members of groups "regularuserx" and "regularusery". \n                                    Visibility of the whole file system and subject to regular UNIX file permissions\n \n \n \n realuser user4 - Assign real user privileges to user id "user4".","restricted-uid user1 user2 user3 - Restricts FTP to the specified directories\n \n \n \n guest-root /home/user1/public_html user1\n guest-root /home/user2/public_html user2\n   guest-root /home/user3/public_html user3","Remarque:","user1, user2 et user3 refer to login accounts. Use the appropriate login name.","The above configuration disables anonymous FTP which allows anyone to\nperform an FTP login with the id anonyme and an email address as a\npassword. To enable anonymous FTP, change the classe directive to:","class all real,guest,anonymous *","GUI FTP configuration tools:","/usr/bin/kwuftpd\n \n/sbin/linuxconf\n (Note: Linuxconf is no longer included with Red Hat 7.3 and later)","Red Hat Linux assigns users a user id and group id which is the same.\n    This means that it does not matter if you use a realuser ou\n realgroup directive as they will act the same.","Red Hat Linux 7.1 and later uses the xinet daemon to manage ftp connections.\n    Thus xinetd must be running and configured to support ftp. le\n    configuration file is /etc/xinetd.d/wu-ftpd.\n    The command chkconfig wu-ftpd on will make the ftp server available.\n    See xinet configuration for more info.","Allow override of deny-uid et / ou deny-gid:","allow-uid user-to-allow\n \n \n \n allow-gid group-to-allow","Optional configuration:","Create a group ftpchroot\n \nAdd users to this group\n \nUse directive: guestgroup ftpchroot","[Potential Pitfall]: Flaky ftp behavior,\ntimeouts, etc?? FTP works best with name resolution of the computer it is\ncommunicating with.\nThis requires proper /etc/resolv.conf and name server (bind)\nconfiguration, /etc/hosts or NIS/NFS configuration.","Fichier /home/user1/public_html/etc/pathmsg:","A NOTE TO USERS UPLOADING FILES:\n   File names may consist of letters (a-z, A-Z), numbers (0-9),\n   an under score ("_"), dash ("-") or period (".") only.\n   The file name may not begin with a period or dash.\n   You have tried to upload a file with an inappropriate name.","The whole point of the chroot directory is to make the\nuser's home directory appear to be the root of the\nfilesystem (/) so one could not wander around the filesystem.\nConfiguration of /etc/ftpaccess will limit the user to their respective\ndirectories while still offering access to /bin/ls and other system commands\nused in FTP operation.","As root:","cd /home/user1\n mkdir public_html\n   chown $1.$1 public_html\n   touch .rhosts - Security protection\n chmod ugo-xrw .rhosts","Man Pages:\nServeur:","ftpd – Internet File Transfer Protocol server","File Formats:","/etc/ftpaccess – Configuration file for ftpd","/etc/ftpservers – ftpd virtual hosting configuration file. (optionnel)","/etc/ftphosts – allow or deny access to certain accounts from various hosts. (optionnel)","/etc/ftpconversions – ftpd conversions database (for tar and compression)","/var/log/xferlog – FTP server logfile","ftp – File Transfer Client program","Configuration files: (RH 8.0+)","PAM configuration file: /etc/pam.d/ftp","#%PAM-1.0\nauth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed\nauth required pam_stack.so service=system-auth\nauth required pam_shells.so\naccount required pam_stack.so service=system-auth\nsession required pam_stack.so service=system-auth","Xinetd configuration file: /etc/xinetd.d/wu-ftpd","service ftp","        disable = no\n        socket_type = stream\n        wait = no\n        user = root\n        server = /usr/sbin/in.ftpd\n        server_args = -l -a\n        log_on_success += DURATION USERID\n        log_on_failure += USERID\n        nice = 10","Note: wu-FTPd is controlled by xinetd and not a stand alone service like vsFTPd.","Logrotate configuration file: /etc/logrotate.d/ftpd\n/var/log/xferlog nocompress","Plus d'information:\nMan pages on related FTP commands and files:","chroot – Run with a special root directory\n \nftpcount – Show number of concurrent users.\n \nftpshut – close down the ftp servers at a given time\n \nftprestart – Restart previously shutdown ftp servers\n \nftpwho – show current process information for each ftp user\n \nprivatepw – Change WU-FTPD Group Access File Information (admin command)","Other FTP daemons:\nFTP Pitfalls:","If you get the following error:","ftp> ls227 Entering Passive Mode (208,188,34,109,208,89)ftp: connect: No route to host\nThis means you have firewall issues most probably on the FTP server itself.\nStart by removing the firewall "iptables" rules: iptables -F\nAdd rules until you discover what is causing the problem.","Passive mode:\nPassive mode can also help one past the rules:\nftp> passivePassive mode on.\nThis toggles passive mode on and off.\nWhen on, FTP will be limited to ports specified in the vsftpd configuration file: vsftpd.conf with the parameters pasv_min_port et pasv_max_port\nFirewall connection tracking module:\n# cat /etc/sysconfig/iptables-config | grep ip_nat_ftpIPTABLES_MODULES="ip_conntrack_ftp"\nNAT firewall modules:\nYou can also try adding ip_nat_ftp to the list of auto-loaded modules:\n(This will also load the dependency: ip_conntrack_ftp.)\n# cat /etc/sysconfig/iptables-config | grep ip_nat_ftpIPTABLES_MODULES="ip_nat_ftp"\nThen restart the firewall: /etc/init.d/iptables condrestart\nFTP will change ports during use. le ip_conntrack_ftp module will\nconsider each connection "RELATED". If iptables allows RELATED and ESTABLISHED connections then FTP will work.\ni.e. rule: /etc/sysconfig/iptables","-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\nFTP fails because it can not change to the users home directory:\nErreur:","[user1@nodex ~]$ ftp node.domain.com","Connected to XXX.XXX.XXX.XXX.\n530 Please login with USER and PASS.\n530 Please login with USER and PASS.\nKERBEROS_V4 rejected as an authentication type\nName (XXX.XXX.XXX.XXX:user1):\n331 Please specify the password.\nMot de passe:\n500 OOPS: cannot change directory:/home/user1\nLogin failed.\nftp> bye","This is often a result of SELinux preventing the vsftpd process from accessing the user's home directory.\nAs root, grant access with the following command:\nsetsebool -P ftp_home_dir 1\nFollowed by: service vsftpd restart","Test your vsftpd SELinux settings: getsebool -a | grep ftp","allow_ftpd_anon_write --> off\nallow_ftpd_full_access --> off\nallow_ftpd_use_cifs --> off\nallow_ftpd_use_nfs --> off\nallow_tftp_anon_write --> off\nftp_home_dir --> on\nftpd_disable_trans --> off\nftpd_is_daemon --> on\nhttpd_enable_ftp_server --> off\ntftpd_disable_trans --> off","FTPd SELinux man page","FTP Linux clients:","gftp: GUI GTK+\nMulti-threaded client. File transfer directory browsing and compare.\nMultiple protocols: FTP, FTPS (control connection only), HTTP, HTTPS,\nSSH and FSP protocols. Proxy support. Comes with Red Hat / Fedora Core.\n \nKFTPgrabber: GUI KDE based client.simultaneous FTP sessions in separate tabs. Ability to limit upload and download speed.\n \nkbear:\nGUI KDE based client. Connect to multiple servers, transfer files,\ndirectory browsing, file content browsing. Comes with S.U.S.e. Linux.\n \nftp: (/usr/kerberos/bin/ftp) kerberos enabled console ftp client. (RPM package FC3: krb5-workstation)","Basic user security:","When hosting web sites, there is no need to grant a shell account which only\nallows the server to have more potential security holes. Current systems can\nspecify the user to have only FTP access with no shell by granting them the\n"shell" /sbin/nologin provided with the system or the "ftponly"\nshell described below. The shell can be specified in the file /etc/passwd of when creating a user with the command adduser -s /sbin/nologin user-id","[Potential Pitfall]: Red Hat 7.3 server with wu-ftp server 2.6.2-5\ndoes not support this configuration to prevent shell access.\nIt requires users to have a real user shell.\nc'est à dire. / bin / bash It works great in older and current Red Hat versions.\nIf it works for you, use it, as it is more secure to deny the user shell access. You can always deny telnet access.\nYou should NOT be using this problem ridden version of ftpd. Use the latest\nwu-ftpd-2.6.2-11 which supports users with shell /opt/bin/ftponly","[Potential Pitfall]: Ubuntu – Setting the shell to the pre-configured shell /bin/false will NOT allow vsftp access.\nOne must create the shell "ftponly" as defined below to allow vsftp access with no shell.","Disable remote telnet login access allowing FTP access only:","Change the shell for the user in /etc/passwd de / bin / bash être /opt/bin/ftponly.","...\nuser1:x:502:503::/home/user1:/opt/bin/ftponly\n...\n \n Create file: /opt/bin/ftponly.\n Protection set to -rwxr-xr-x 1 root root \n with the command: chmod ugo+x /opt/bin/ftponly\n Contents of file:","#!/bin/sh\n#\n# ftponly shell\n#\ntrap "/bin/echo Sorry; exit 0" 1 2 3 4 5 6 7 10 15\n#\nAdmin=root@your-domain.com\n#System=`/bin/hostname`@`/bin/domainname`\n#\n/bin/echo\n/bin/echo "********************************************************************"\n/bin/echo " You are NOT allowed interactive access."\n/bin/echo\n/bin/echo " User accounts are restricted to ftp and web access."\n/bin/echo\n/bin/echo " Direct questions concerning this policy to $Admin."\n/bin/echo "********************************************************************"\n/bin/echo\n#\n# C'ya\n#\nexit 0","The last step is to add this to the list of valid shells on the system.\n Add the line /opt/bin/ftponly à /etc/shells.\n \n Sample file contents: /etc/shells","/ bin / bash\n/bin/bash1\n/bin/tcsh\n/bin/csh\n/opt/bin/ftponly\n \n See man page on /etc/shells.","An alternative would be to assign the shell /bin/false ou /sbin/nologin qui est devenu\navailable in later releases of Red Hat, Debian and Ubuntu. In this case the shell /bin/false ou /sbin/nologin would have to be added to /etc/shells to allow them to be used as a valid shell for FTP while disabling ssh or telnet access.","Set file quotas to limit user account.","For more on Linux security see the: YoLinux.com Internet web site Linux server security tutorial\n \nDomain Name Server (DNS) configuration using Bind version 8 or 9:","Two of the most popular ways to configure the program Bind\n(Berkeley Internet Domain software) to perform DNS\nservices is in the role of (1) ISP or (2) Web Host.","In an ISP configuration for clients (web surfers) connected to the internet, the DNS server must resolve IP addresses for any\nURL the user wishes to visit. (See DNS caching server)\n \nIn a purely web hosting configuration, Bind will only resolve for the\nIP addresses of the domains which are being hosted. This is the configuration\nwhich will be discussed and is often called an "Authoritative-only Nameserver".","When resolving IP addresses for a domain, Internic is\nexpecting a "Primary"\nand a "Secondary" DNS name server. (Sometimes called Master and Slave)\nEach DNS name server requires the file /etc/named.conf and the files it\npoints to.\nThis is typically two separate computer systems hosted on two different\nIP addresses. It is not necessary that the Linux servers be dedicated to\nDNS as they may run a web server, mail server, etc.","Note on Bind versions: Red Hat versions 6.x used Bind version 8.\nRelease 7.1 of Red Hat began using Bind version 9 and the GUI configuration\noutil bindconf was introduced for those of you that like a pretty\npoint and click interface for configuration.\n \nInstallation Packages:","Red Hat / Fedora Core / CentOS: bind, bind-chroot, bind-libs, bind-utils, system-config-bind","bind-chroot: Security jail for operation of bind.\nbind-utils: Utility commands like nslookup, host, dig\nsystem-config-bind: GUI config tool system-config-bind and related configuration files (/etc/security/console.apps/bindconf).\ncaching-nameserver: We will not be covering this as it is not required for web hosting. This is used by internet providers so their clients can cache the DNS entries of the sites they are visiting.","Ubuntu (dapper/hardy/natty) / Debian: bind9","Configuration files:","Red Hat / Fedora / CentOS:","Fichier\nLa description\nDirectory\nChrooted Directory","named.conf\nPrimary/Secondary DNS server configuration.(See default file /usr/share/doc/bind-9.X.X/sample/etc/named.conf)\n/etc/\n/var/named/chroot/etc/","named.root.hints\nConfiguration for recursive service. Required for all zones.(See default file /usr/share/doc/bind-9.X.X/sample/etc/named.root.hints)\n/etc/\n/var/named/chroot/etc/","nommé\nRed Hat system variables.\n/etc/sysconfig/\npas de changement","rndc.key\nPrimary/Secondary DNS server configuration.\n/etc/\n/var/named/chroot/etc/","Zone files\nConfiguration files for each domain. Create this file to resolve host name internet queries i.e. define IP address of web (www) and mail servers in the domain.\n/var/named/\n/var/named/chroot/var/named/","Debian / Ubuntu:","Fichier\nLa description\nDirectory\nChrooted Directory","named.confnamed.conf.optionsnamed.conf.local\nPrimary/Secondary DNS server configuration.\n/etc/bind/\n/var/bind/chroot/etc/bind/","rndc.key\nPrimary/Secondary DNS server configuration.\n/etc/\n/var/bind/chroot/etc/","Zone files\nConfiguration files for each domain.\n/var/bind/data/\n/var/bind/chroot/var/bind/data/","Primary server (master):\n File: named.conf\nRed Hat / Fedora Core / CentOS: /etc/named.conf (chroot dir: /var/named/chroot/etc/named.conf) et /etc/sysconfig/named for system variables.\n Ubuntu / Debian: /etc/bind/named.conf Place local definitions in /etc/bind/named.conf.options et /etc/bind/named.conf.local\n Simple example: (no views)","options - Ubuntu stores options in /etc/bind/named.conf.options\n \n \n \n version "Bind"; - Don't disclose real version to hackers\n \n \n \n directory "/var/named"; - Specified so relative path names can be used. Full path names still allowed.\n \n \n \n allow-transfer XXX.XXX.XXX.XXX; ; - IP address of secondary DNS\n \n \n \n recursion no;\n        auth-nxdomain no; - conform to RFC1035. (default)\n fetch-glue no; - Bind 8 only! Not used by version 9",";","zone "localhost" \n        type master;\n        file "/etc/bind/db.local";\n;\nzone "0.0.127.in-addr.arpa" \n        type master;\n        file "/etc/bind/db.127";\n;","zone "your-domain.com" - Ubuntu separates the zone definitions into /etc/bind/named.conf.local \n \n \n \n type master; - Specify master, slave, forward or hint\n \n \n \n file "data/named.your-domain.com"; \n        notify yes; - slave servers are notified when the zone is updated.\n \n \n \n allow-update none; ; - deny updates from other hosts (default: none)\n \n \n \n allow-query any; ; - allow clients to query this server (default: any)",";\nzone "your-domain-2.com"\n        type master;\n        file "data/named.your-domain-2.com";\n        notify yes;\n;","Remarque:","The omission of zone ".". Required if providing a recursive service.","Ubuntu includes the separated file of zone directives using the directive:\n include "/etc/bind/named.conf.local";","BIND Views:\nThe BIND naming service can support "views" which allow various sub-networks (i.e. private internal or public external networks) to have a different domain name resolution result.","If no views are specified then use the configuration shown above.","The match-up between the "view" and the view client which receives the DNS information is specified by the match-clients statement.","If even one view is specified, then ALL zones MUST be associated with a "view".","Bind 9 allows for views which allow different zones to be served to different types of clients, localhost, private networks and public networks. This maps to the three view names "localhost_resolver", "interne" and "externe":","localhost_resolver: Supports name resolution for the system (localhost) using BIND. Support for use of bind also has to be configured in /etc/nsswitch.conf\n \ninternal: User specified Local Area Network (LAN). If not used to support a local private LAN, remove (or comment out) this view.\n \nexternal: The general public internet defined as client "any".","If you are only setting up a caching name server, then only specify the view "localhost_resolver" (delete all other views).","In order to support a DNS for internet domains using views, one will have to configure an "external" view","Typical Red Hat Enterprise 5 example: (Bind 9.3.4 with three "views")","options","        directory "/var/named"; // the default\n        dump-file "data/cache_dump.db";\n        statistics-file "data/named_stats.txt";\n        memstatistics-file "data/named_mem_stats.txt";",";\nenregistrement","    // By default, SELinux policy does not allow named to modify the /var/named\n    // directory, so put the default debug log file in data/ :\n \n        channel default_debug \n                file "data/named.run";\n                severity dynamic;\n        ;\n;\nview "localhost_resolver"","    // This view sets up named to be a localhost resolver ( caching only nameserver ).\n    // If all you want is a caching-only nameserver, then you need only define this view:\n    match-clients localhost; ;\n    ...\n;\nview "internal"","    // This view will contain zones you want to serve only to "internal" clients\n    // that connect via your directly attached LAN interfaces - "localnets" .\n    // For local private LAN. Not covered in this tutorial.\n    // Delete this view if web hosting with no local LAN.\n    match-clients localnets; ;\n    ...\n;\nkey ddns_key","        algorithm hmac-md5;\n        secret "use /usr/sbin/dns-keygen to generate TSIG keys";\n;\nview "external"","    // This view will contain zones you want to serve only to "external" \n    // public internet clients. This is covered below.\n    match-clients any; ;\n    ...\n    ..\n;\n \n Default configuration files: Red Hat may supply the default configuration in: /usr/share/doc/bind-9.X.X/sample/etc/named.conf","cp /usr/share/doc/bind-9.X.X/sample/etc/named.conf /var/named/chroot/etc\ncp /usr/share/doc/bind-9.X.X/sample/etc/named.root.hints /var/named/chroot/etc\nchcon -u system_u -r object_r -t named_conf_t /var/named/chroot/etc/named.conf /var/named/chroot/etc/named.root.hints","view "localhost_resolver": If supporting a caching DNS server (not required to support a web domain) you will also need the files:","cp /usr/share/doc/bind-9.X.X/sample/etc/named.rfc1912.zones /var/named/chroot/etc\ncp /usr/share/doc/bind-9.X.X/sample/var/named/localdomain.zones /var/named/chroot/var/named\n also from /usr/share/doc/bind-9.X.X/sample/var/named/: localhost.zones, named.local, named.zero, named.broadcast, named.ip6.local, named.root","view "external": (master) – details –","view "external"","/* This view will contain zones you want to serve only to "external" clients\n * that have addresses that are not on your directly attached LAN interface subnets:\n * /\n        match-clients any; ;\n        match-destinations any; ;\n        allow-transfer XXX.XXX.XXX.XXX; ; - IP address of secondary DNS","recursion no;\n        // you'd probably want to deny recursion to external clients, so you don't\n        // end up providing free DNS service to all takers","        // all views must contain the root hints zone:\n        include "/etc/named.root.hints";","        // These are your "authoritative" external zones, and would probably\n        // contain entries for just your web and mail servers:","        zone "your-domain.com" \n                type master;\n                file "/var/named/data/external/named.your-domain.com";\n                notify yes;\n                allow-update none; ;\n        ;\n \n // You can also add the zones as a separate file like they do in Ubuntu by adding the following statement\n \n \n \n include "/etc/named.conf.local"; \n;","DNS key:","Use the following command /usr/sbin/dns-keygen to create a key.\nAdd this key to the "secret" statement as follows:","key ddns_key","        algorithm hmac-md5;\n        secret "XlYKYLF5Y7YOYFFFY6YiYYXyFFFFBYYYYFfYYYJiYFYFYYLVrnrWrrrqrrrq";\n;","Man Pages:","Forward Zone File: /var/named/named.your-domain.com","Red Hat 9 / CentOS 3: /var/named/named.your-domain.com\n Red Hat EL4/5, Fedora 3+, CentOS 4/5: [Chrooted] /var/named/chroot/var/named/data/named.your-domain.com\n Red Hat EL4/5, Fedora 3+, CentOS 4/5: /var/named/data/named.your-domain.com\n Ubuntu / Debian: /etc/bind/data/named.your-domain.com","$TTL 604800 - Bind 9 (and some of the later versions of Bind 8) requires $TTL statement.\n                     Measured in seconds. This value is 7 days.\nyour-domain.com. IN SOA ns1.your-domain.com. hostmaster.your-domain.com. (\n   2000021600 ; en série - Many people use year+month+day+integer as a system.\n \n \n \n 86400 ; rafraîchir - How often secondary servers (in seconds) should check in for changes in serial number. (86400 sec = 24 hrs)\n \n \n \n 7200 ; réessayez - How long secondary server should wait for a retry if contact failed.\n \n \n \n 1209600 ; expirer - Secondary server to purge info after this length of time.\n \n \n \n 86400 ) ; default_ttl - How long data is held in cache by remote servers.\n \n \n \n IN A XXX.XXX.XXX.XXX - Note that this is the default IP address of the domain. \n                                     I put the web server IP address here so that domain.com points to the same servers as www.domain.com",";\n; Name servers for the domain\n;\n       IN NS ns1.your-domain.com.\n       IN NS ns2.your-domain.com.\n;\n; Mail server for domain\n;\n       IN MX 5 mail - Identify "mail" as the node handling mail for the domain. Faire NE PAS specify an IP address!",";\n; Nodes in domain\n;\nnode1 IN A XXX.XXX.XXX.XXX - Note that this is the IP address of node1","ns1 IN A XXX.XXX.XXX.XXX - Optional: For hosting your own primary name server. Note that this is the IP address of ns1","ns2 IN A XXX.XXX.XXX.XXX - Optional: For hosting your own secondary name server. Note that this is the IP address of ns2","mail IN A XXX.XXX.XXX.XXX - Identify the IP address for node mail.",";\n; Aliases to existing nodes in domain\n;\nwww IN CNAME node1 - Define the webserver "www" to be node1.","ftp IN CNAME node1 - Define the ftp server to be node1.\n \nDNS record types and format:","DNS record\nDescription and Format","SOA\nStart of Authority: Primary domain server and contact info\n Note that there is a period following the primary domain server and contact email.\n Note that the email address is in the form where the first period represents the "@" symbol of the email address.","your-domain.com in SOA ns1.your-domain.com. webmaster.your-domain.com.","ou","@ in SOA ns1.your-domain.com. webmaster.your-domain.com.","[Potential Pitfall]: Incorrect specification of the primary name server may result in the following message in /var/log/messages:","view localhost_resolver: received notify for zone 'your-domain.com': not authoritative","SOA attribute\nLa description","en série\nNever use a value greater than 2147483647 for a 32 bit processor.Increment to a higher value to indicate an update to the slave server.","rafraîchir\nTime increment (seconds) between update checks of the serial number with the primary server","réessayez\nTime elapsed before a slave will contact the primary server if a connection failed","expirer\nTime till primary server information is considered invalid and should be refreshed if there is a new DNS query","le minimum\nTime for DNS servers should hold domain information in their cache before purging","DANS\nIndicate Internet.","NS\nSpecify the Authoritative Name servers for the domain.","UNE\nSpecify the IP address associated with the host name.Format: nom d'hôte IN A XXX.XXX.XXX.XXXNote that in my example, no hostname is specified for the first record. This will define the default for the domain.","CNAME\nSpecify an alias for the host name.","MX\nMail exchange record. Specify a priority number for the primary and back-up mail servers. The lowest number indicates the default mail server for the domain","PTR\nUsed to specify the reverse DNS lookup","MX records for 3rd party off-site mail servers:","your-domain.com. IN MX 10 mail1.offsitemail.com.\nyour-domain.com. IN MX 20 mail2.offsitemail.com.\n \nAppend to the above example file.\n Initial configuration:\n Note that Red Hat may supply the default zone configuration in: /usr/share/doc/bind-9.X.X/sample/var/named/","cp /usr/share/doc/bind-9.X.X/sample/var/named/localhost.zone /var/named/chroot/var/named/data/\ncp /usr/share/doc/bind-9.X.X/sample/var/named/localdomain.zone /var/named/chroot/var/named/data/\ncp /usr/share/doc/bind-9.X.X/sample/var/named/named.broadcast /var/named/chroot/var/named/data/\ncp /usr/share/doc/bind-9.X.X/sample/var/named/named.ip6.local /var/named/chroot/var/named/data/\ncp /usr/share/doc/bind-9.X.X/sample/var/named/named.zero /var/named/chroot/var/named/data/\ncp /usr/share/doc/bind-9.X.X/sample/var/named/named.local /var/named/chroot/var/named/data/\ncp /usr/share/doc/bind-9.X.X/sample/var/named/named.root /var/named/chroot/var/named/data/\ncd /var/named/chroot/var/named/data/\nchcon -u system_u -r object_r -t named_cache_t localhost.zone localdomain.zone named.broadcast named.ip6.local named.zero named.root named.local","A file suffix of "zone" is also common i.e. your-domain.com.zone\nSecondary server (slave):\n File: named.conf\nRed Hat / Fedora Core / CentOS: /etc/named.conf\n Ubuntu / Debian: /etc/bind/named.conf\n Simple example with no views:","options - Ubuntu stores options in /etc/bind/named.conf.options\n \n \n \n version "Bind"; - Don't disclose real version to hackers\n \n \n \n directory "/var/named";\n allow-transfer none; ; - Slave is not transfering updates to anyone else\n \n \n \n recursion no;\n        auth-nxdomain no; - conform to RFC1035. (default)\n fetch-glue no; - Bind 8 only! Not used by version 9",";\nzone "localhost" \n        type master;\n        file "/etc/bind/db.local"; - Ubutu: /etc/bind/db.local, Red Hat: /var/named/named.local",";\nzone "0.0.127.in-addr.arpa" \n        type master;\n        file "/etc/bind/db.127";\n;","zone "your-domain.com"\n        type slave; \n        file "named.your-domain.com"; - Specify slaves/named.your-domain.com for RHEL chrooted bind\n masters XXX.XXX.XXX.XXX; ; - IP address of primary DNS",";\nzone "your-domain-2.com"\n        type slave; \n        file "named.your-domain-2.com";\n        masters XXX.XXX.XXX.XXX; ;\n;\n \n view "external": (slave)","view "external"","        match-clients any; ;\n        match-destinations any; ;\n        allow-transfer aucun; ; - Slave does not transfer to anyone, slave receives\n \n \n \n recursion no;\n        include "/etc/named.root.hints";","        zone "your-domain.com" \n                type slave;\n                file "/var/named/slaves/external/named.your-domain.com";\n                notify no; - Slave does not notify, slave is notified by master\n \n \n \n masters XXX.XXX.XXX.XXX; ; - State IP of master server\n \n \n \n ;\n;","Note: RHEL, CentOS, Fedora use chrooted directory structure\npermissions which require the use of the slaves sub-directory /var/named/slaves\n Slave Zone Files: These are transfered from master to slave and cached by slave. There is no need to generate a zone file on the slave.\n Information additionnelle:","[Potential Pitfall]: Ubuntu dapper/hardy/natty – Path names used can not violate Apparmor security rules as defined in /etc/apparmor.d/usr.sbin.named. Note that the slave files are typically named "/var/lib/bind/named.your-domain.com" as permitted by the security configuration.","[Potential Pitfall]: Ubuntu dapper/hardy/natty – Create log file and set ownership and permission for file not created by installation:","touch /var/log/bindlog\n \nchown root.bind /var/log/bindlog\n \nchmod 664 /var/log/bindlog","[Potential Pitfall]: Error in /var/log/messages:","transfer of 'yolinux.com/IN' from XXX.XXX.XXX.XXX#53: failed while receiving responses: permission denied\n \nNamed needs write permission on the directory containing the file. Ce\ncondition often occurs for a new "slave" or "secondary" name server\nwhere the zone files\ndo not yet exist. The default (RHEL, CentOS, Fedora, …):","drwxr-x--- 4 root named 4096 Aug 25 2004 named\n \ndrwxrwx--- 2 named named 4096 Sep 17 20:37 slaves","Fix: In named.conf specify that the slaves to go to slaves directory /var/named/chroot/var/named/slaves with the directive:\nfile "slaves/named.your-domain.com";\nBind Defaults:\n \nAfter the configuration files have been edited, restart the name daemon.","/etc/init.d/named restart\n \n(Note: Ubuntu / Debian restart: /etc/init.d/bind9 restart)","Bind zone transfers work best if the clocks of the two systems are synchronised.\nSee the YoLinux SysAdmin Tutorial: Time and ntpd","File: /var/named/named.your-domain.com\nThis is created for you by Bind on the slave (secondary) server when it replicates from Primary server.","DNS GUI configuration:","Red Hat EL 4/5, Fedora 2-10: /usr/bin/system-config-bind\n \nRed Hat 8/9, Fedora Core 1: /usr/bin/redhat-config-bind","Test DNS:\nMust install packages:","Red Hat / Fedora Core / SuSE: bind-utils\n \nUbuntu (dapper/hardy/natty) / Debian: bind9-host","Test the name server with the\n          hôte\ncommand in interactive mode: \n hôte node.domain-to-test.com your-nameserver-to-test.domain.com\n \nNote: The name server may also be specified by IP address.\n \nou\n \nTest the name server with the\n          nslookup\ncommand in interactive mode:\n \n nslookup> server your-nameserver-to-test.domain.com\n \n \n \n > node.domain-to-test.com\n > exit\n \nTest the MX record if appropriate:\n \n nslookup -querytype=mx domain-to-test.com\n \n OU","host -t mx domain-to-test.com\n \nTest using the dig command:\n \n dig @name-server domain-to-query","OU","dig @IP-address-of-name-server domain-to-query\n \nTest your DNS with the following DNS diagnostics web site: DnsStuff.com","Extra logging to monitor Bind:\nAdd the following to your /etc/named.conf file.","logging \n        channel bindlog \n // Keep five old versions of the log-file (rotates logs)\n \n \n \n file "/var/log/bindlog" versions 5 size 1m;\n                           print-time yes;\n                           print-category yes;\n                           print-severity yes;\n                        ;\n/* If you want to enable debugging, eg. using the 'rndc trace' command,\n * named will try to write the 'named.run' file in the $directory (/var/named).\n * By default, SELinux policy does not allow named to modify the /var/named directory,\n * so put the default debug log file in data/ :\n * /\n        channel default_debug \n                file "data/named.run";\n                severity dynamic;\n        ;\n        category xfer-out bindlog; ; - Zone transfers\n \n \n \n category xfer-in bindlog; ; - Zone transfers\n \n \n \n category security bindlog; ; - Approved/unapproved requests","// The following logging statements, panic, insist and response-checks are \n// valid for Bind 8 only. Do not user for version 9.\n category panic bindlog; ; - System shutdowns\n \n \n \n category insist bindlog; ; - Internal consistency check failures\n \n \n \n category response-checks bindlog; ; - Messages",";","Chroot Bind for extra security:\nNote: Most modern Linux distributions default to a "chrooted" installation.\nThis technique runs the Bind name service with a view of the filesystem\nwhich changes the definition of the root directory "/" to a directory\nin which Bind will operate. c'est à dire. /var/named/chroot.","The following example uses the Red Hat RPM bind-8.2.3-0.6.x.i386.rpm. Applies to Bind version 9 as well.\n \nThe latest RedHat bind updates run the named as user "named" to avoid a lot of\nearlier hacker exploits. To chroot the process is to create an even more\nsecure environment by limiting the view of the system that the process\ncan access. The process is limited to the chrooted directory assigned.\n \nThe chroot of the named process to a directory under a given user will\nprevent the possibility of an exploit which at one time would result in\nroot access.\nThe original default RedHat configuration (6.2) ran the named process as root,\nthus if an exploit was found, the named process will allow the hacker to use\nthe privileges of the root user. (no longer true)\n \nNamed Command Sytax:\n \n named -u utilisateur -g groupe -t directory-to-chroot-to\n \nExemple:\n named -u named -g named -t /opt/named\nWhen chrooted, the process does not have access to system\nlibraries thus a\nlocal lib directory is required with the appropriate library files –\ntheoretically. This does not seem to be the case here and as noted\nabove in chrooted FTP.\nIt's a mystery to me but it works????\nAnother method to handle libraries is to re-compile the named binary\nwith everything statically linked. Ajouter -static to the compile options.\nThe chrooted process should also require a local /etc/named.conf etc… but doesn't seem to???\n \nScript to create a chrooted bind environment:","#!/bin/sh\ncd /opt\nmkdir named\ncd named\nmkdir etc\nmkdir bin\nmkdir var\ncd var\nmkdir named\nmkdir run\ncd ..\nchown -R named.named bin etc var","You can probably stop here. If your system acts like a chrooted system should,\nthen continue with the following:","cp -p /etc/named.conf etc\ncp -p /etc/localtime etc\ncp -p /bin/false bin\necho "named:x:25:25:Named:/var/named:/bin/false" > etc/passwd\necho "named:x:25:" > etc/group\ntouch var/run/named.pid","si [ -f /etc/namedb ]\npuis\n   cp -p /etc/namedb etc/namedb\nFi","mkdir dev\ncd dev","# Create a character unbuffered file.\nmknod -m ugo+rw null c 1 3","cd ..\nchown -R named.named bin etc var","Add changes to the init script: /etc/rc.d/init.d/named","#!/bin/bash\n#\n# named This shell script takes care of starting and stopping\n# named (BIND DNS server).\n#\n# chkconfig: - 55 45\n# description: named (BIND) is a Domain Name Server (DNS) \n# that is used to resolve host names to IP addresses.\n# probe: true","# Source function library.\n. /etc/rc.d/init.d/functions","# Source networking configuration.\n. /etc/sysconfig/network","# Check that networking is up.\n[ $NETWORKING = \"no\" ] && exit 0","[ -f /etc/sysconfig/named ] && . /etc/sysconfig/named","[ -f /usr/sbin/named ] || exit 0","[ -f /etc/named.conf ] || exit 0","RETVAL=0","start() \n        # Start daemons.\n        echo -n "Starting named: "\n        daemon named -u named -g named -t /opt/named # Change made here\n\tRETVAL=$?\n \t[ $RETVAL -eq 0 ] && touch /var/lock/subsys/named\nécho\n\treturn $RETVAL","stop() \n        # Stop daemons.\n        echo -n "Shutting down named: "\n        killproc named\n\tRETVAL=$?\n\t[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/named\n        écho\n\treturn $RETVAL","rhstatus() \n\t/usr/sbin/ndc status\n\treturn $?","restart() \nArrêtez\ndébut","reload() \n\t/usr/sbin/ndc reload\n\treturn $?","probe() echo start\n\treturn $?","# See how we were called.\ncase "$1" in\n\tstart)\ndébut\n\t\t;;\n\tstop)\nArrêtez\n\t\t;;\n\tstatus)\n\t\trhstatus\n\t\t;;\n\trestart)\nredémarrer\n\t\t;;\n\tcondrestart)\n\t\t[ -f /var/lock/subsys/named ] && restart || :\n\t\t;;\n\treload)\nrecharger\n\t\t;;\n\tprobe)\nsonde\n\t\t;;\n\t*)\n        \techo "Usage: named condrestart"\nsortie 1\nesac","exit $?","Note: The current version of bind from the RedHat errata updates and security\nfixes (http://www.redhat.com/support/errata/)\nruns the named process as user "named" in the home (not chrooted) directory\n /var/named with no shell available. (named -u named)\nThis should be secure enough.\nProceed with a chrooted installation if your are paranoid.\n \nVoir:","Chrooted DNS configuration:\n \nModern releases of Linux (i.e. Fedore Core 3, Red Hat Enterprise Linux 4)\ncome pre-configured to use "chrooted" bind. This security feature forces\neven an exploited version of bind to only operate within the "chrooted" jail\n /var/named/chroot\nwhich contains the familiar directories:","/var/named/chroot/etc: Configuration files\n \n/var/named/chroot/dev: devices used by bind:","/dev/null\n \n /dev/random\n \n /dev/zero","(Real devices created with the mknod command.)\n \n/var/named/chroot/var: Zone files and configuration information.","These directories are generated and configured by the Red Hat/Fedora RPM package "bind-chroot".","If building from source you will have to generate this configuration manually:","mkdir -p /var/named/chroot\n \nmkdir /var/named/chroot/dev\n \nmknod /var/named/chroot/dev/null c 1 3\n \nmknod /var/named/chroot/dev/zero c 1 5\n \nmknod /var/named/chroot/dev/random c 1 8\n \nchmod 666 -R /var/named/chroot/dev\n \nmkdir -p /var/named/chroot/etc\n \nln -s /var/named/chroot/etc/named.conf /etc/named.conf","mkdir -p /var/named/chroot/var/named\n \nln -s /var/named/chroot/var/named/named.XXXX /var/named/named.XXXX \n \nln -s /var/named/chroot/var/named/named.YYYY /var/named/named.YYYY \n \n…\n \nmkdir -p /var/named/chroot/var/named/slaves\n \nmkdir -p /var/named/chroot/var/named/data\n \nmkdir -p /var/named/chroot/var/run\n \nmkdir -p /var/named/chroot/var/tmp","chown -R named:named /var/named/chroot\n \nchown -R root:named /var/named/chroot/var/named","Load Balancing of servers using Bind: DNS Round-Robin\nThis will populate DNS caching name servers around the world with different IP addresses for your web server www.your-domain.com\nFichier: /var/named/data/named.your-domain.com","$TTL 604800\nyour-domain.com. IN SOA ns1.your-domain.com. hostmaster.your-domain.com.","...\n...","www IN A 192.168.1.1","www IN A 192.168.1.2","www IN A 192.168.1.3","www IN A 192.168.1.4","www IN A 192.168.1.5","www IN A 192.168.1.6","Remarque:","This example will resolve the www.your-domain.com URL to each of the IP addresses listed, one at a time for each request.\n              First request will resolve to 192.168.1.1, the second request will resolve to 192.168.1.2, etc.\n \nA perfectly even load balance is not possible becaused network service providers run DNS caching servers which hold the resolved IP address for a different number of users.\n \nUsing multiple CNAME's to rotate records is no longer permissible in bind9.\n \nListing a record multiple times with the same IP address will not change the load sharing. Bind will ignore duplicate records.\n \nReducing the time to live (TTL) will cause load sharing to take place more frequently thus responding to a change in servers more quickly.","Also see lbnamed: lbnamed load balancing named","Bind/DNS Links:\nDomain name registration:","Domain Name Registrars:\n \nAfterNic.com – Domain name exchange and auction.\n \nBuyDomains.com – Buy a domain name that a squatter is holding.","Note that the Name registrations policies for the registrars are stated at ICANN.org.","You must renew with the same registrar within five days BEFORE the expiration date. There is no rule for afterwards.\n \nMost free a domain name 30 days after it expires.","Web Server Load Balancing:","Load balancing becomes important if your traffic volume becomes too great for either your server or network connection or both.\n      Multiple options are available for load balancing.","DNS round-robin: Discussed above, this uses DNS to point users to random server in a list of appropriate servers. This spreads the load among the servers in the list.\nUse a Linux Virtual Server to Create a Load Balance Cluster. See next section below.\nRun a reverse proxy. See nginx ("engine X").\n          From a single external internet network connection, route http, smtp, imap or pop3 traffic to various servers on an internal network. Results are pushed back to the nginx proxy for routing to the internet (no caching).\nRun the Apache httpd web server module "mod_proxy" to offload processing of dynamic content to another web server. This acts as a reverse proxy, routing external traffic to various servers on an internal network.","Using a Linux Virtual Server to Create a Load Balance Cluster:","You can use a single Linux server to forward requests to a cluster of servers\nusing iptables for IP masquerading and IPVsadm to scale your load.\nThe load balancing server receiving and routing the requests is called the "Linux Virtual Server" (LVS).\nThe LVS receives the requests which are passed to the real servers which\nprocess and reply to the request.\nThis reply is forwarded to the client by the LVS.\n \nThis feature is available with the Linux 2.4/2.6 kernel.\n(If compiling kernel: Networking Options + IP: Virtual Server Configuration)\n \nConfiguration: This example will load balance http traffic to three web servers\nand ftp traffic to a fourth server.","Enable Forwarding:\n    (Also see YoLinux Networking Tutorial: Enable Forwarding)\necho "1" > /proc/sys/net/ipv4/ip_forward","Enable IP Masquerading:\niptables -t nat -P POSTROUTING DROPiptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n For more on IP Masquerading, iptables and subnet addresses, see the\n    YoLinux network gateway tutorial.\n \nEnable virtual server:","Create virtual service and choose scheduler for http (80) and ftp (21):\nipvsadm -A -t 66.218.88.103:80 -s wlcipvsadm -A -t 66.218.88.103:21 -s wrr\n Command directives:","A: Add a virtual service defined by IP address, port number, and protocol.\n \n-t: Use TCP service host:port\n \n-s: scheduler:","rr: Robin Robin: distributes jobs equally amongst the avail-\n                            able real servers.\n \nwrr: Weighted Round Robin.\n \nlc: Least-Connection: assigns more jobs to real servers with\n                            fewer active jobs.\n \nwlc: (Default) Weighted Least-Connection: assigns more jobs to servers\n                            with fewer jobs and relative to the real server's weight.\n \nlblc, lblcr, dh, sh, sed, nq. See man page.","Configure load balancing cluser.\nipvsadm -a -t 66.218.88.103:80 -r 176.168.1.1:80 -mipvsadm -a -t 66.218.88.103:80 -r 176.168.1.2:80 -m -w 2ipvsadm -a -t 66.218.88.103:80 -r 176.168.1.3:80 -mipvsadm -a -t 66.218.88.103:21 -r 176.168.1.4:21 -m\n Command directives:","-r: Real server.\n \n-m: Use masquerading also known as network address translation (NAT)\n \n-w: Weight is an integer specifying the capacity of a server relative to the others in the pool. The valid values of weight are 0 through to 65535. The default is 1.","Links:\n \nManaging Web Server Daemons:","To view if these services are\nrunning, type ps -aux and look for the httpd, inetd and named\nservices (daemons). These are background processes necessary to perform\nthe server tasks.","root 681 0.0 0.5 2304 744 ? S Sep09 0:01 named\n   nobody 28123 0.0 1.1 3036 1420 ? S Oct06 0:00 httpd\n   nobody 28186 0.0 0.7 3044 896 ? S Oct06 0:00 httpd\n   root 385 0.0 0.1 1136 232 ? S Sep09 0:00 inetd","A new installation will most likely NOT start the named background process\nwhich may be started manually after configuration.\n See the YoLinux Init Process Tutorial\npour plus d'informations.\n The inetd (or xinetd) background process is the Internet daemon which\nstarts FTP when an ftp request is made.","Sys Admin Script:","Script to prepare an account: (Red Hat/Fedora)","#!/bin/sh\n# Author Greg Ippolito\n# Requires: /opt/etc/AccountDefaults/pathmsg favicon.ico mwh-mini_tr.gif etc.\n# /opt/bin/ftponly\n# You must be root to run this script.\n#\nsi [ $# -eq 0 ]\npuis\n   echo "Enter user id as a command argument"\nelse if [ -r /home/$1 ]\npuis\n   echo "User's home directory already exists"\nautre\n   echo "1) Create user."\n   adduser -m $1","   echo "2) Set user Password."\n   passwd $1","   echo "3) Add read access to user directory so apache can read it."\n   cd /home\n   chmod ugo+rx $1\n   cd $1","   echo "4) Create web directories."\n   mkdir public_html\n   chown $1.$1 public_html\n   chcon -R -h -u system_u -r object_r -t httpd_sys_content_t public_html\n   cd public_html\n   mkdir images\n   chown $1.$1 images\n   chcon -R -h -u system_u -r object_r -t httpd_sys_content_t images","   # Block potential for unauthenticated logins\n   cd ../\n   touch .rhosts\n   chmod ugo-xrw .rhosts","   echo "5) Create default web page"\n   sed "/HEADING/s!HEADING!$1!" /opt/etc/AccountDefaults/default-index.html > index.html\n   cp -p /opt/etc/AccountDefaults/favicon.ico .\n   cp -p /opt/etc/AccountDefaults/default-logo.gif ./images\n   cp -p /opt/etc/AccountDefaults/robots.txt .\n   chown $1.$1 index.html favicon.ico robots.txt\n   chcon -R -h -t httpd_sys_content_t index.html favicon.ico robots.txt\n   chcon -R -h -t httpd_sys_content_t images/default-logo.gif","   echo "6) Edit /etc/passwd file - change user shell to /opt/bin/ftponly"\n   cp -p /etc/passwd /etc/passwd-`date +%m%d%y`\n   sed "/^$1/s!/bin/bash!/opt/bin/ftponly!" /etc/passwd-`date +%m%d%y` > /etc/passwd","#wu-ftp# Requires: /etc/ftpaccess guestuser restrict-uid\n#wu-ftp# echo "7) Add user to /etc/ftpaccess file"\n#wu-ftp# cp -p /etc/ftpaccess /etc/ftpaccess-`date +%m%d%y`\n#wu-ftp# sed "/^guestuser/s!guestuser !guestuser $1 !" /etc/ftpaccess-`date +%m%d%y` > /etc/ftpaccess\n#wu-ftp# sed "/^restricted-uid/s!restricted-uid !restricted-uid $1 !" /etc/ftpaccess-`date +%m%d%y` > /etc/ftpaccess\n#wu-ftp# echo "guest-root /home/$1/public_html $1" >> /etc/ftpaccess","   echo "7) Add user to vsftpd chroot list\n   cat `echo $1` >> /etc/vsftpd/vsftpd.chroot_list","   echo "8) Setting Disk Quotas to default 50Mb limit:"\n# Use user johndoe as a prototype.\n   edquota -p johndoe $1","   echo "9) Admin Follow-up:"\n   echo " Modify quota.user if different than default"\n   echo " Make changes to Bind names services on dns1 and dns2 if necessary"\n   echo " Change /etc/http/conf/httpd.conf or \n   echo " add config to /etc/http/conf.d/ if using a new domain name"\n   echo " Add e-mail aliases to mail server if necessary"\nFi\nFi","FYI: Sample robots.txt files:\n \nUseful links and resources:","Livres:",""Ubuntu Unleashed 2017 edition:"\n Covering 16.10 and 17.04, 17.10 (12th Edition)\n by Matthew Helmke, Andrew Hudson and Paul Hudson\n Sams Publishing, ISBN# 0134511182",""Ubuntu Unleashed 2013 edition:"\n Covering 12.10 and 13.04 (8th Edition)\n by Matthew Helmke, Andrew Hudson and Paul Hudson\n Sams Publishing, ISBN# 0672336243\n (Dec 15, 2012)",""Ubuntu Unleashed 2012 edition:"\n Covering 11.10 and 12.04 (7th Edition)\n by Matthew Helmke, Andrew Hudson and Paul Hudson\n Sams Publishing, ISBN# 0672335786\n (Jan 16, 2012)",""Red Hat Enterprise Linux 7: Desktops and Administration"\n by Richard Petersen\n Surfing Turtle Press, ISBN# 1936280620\n (Jan 13, 2017)",""Fedora 18 Desktop Handbook"\n by Richard Petersen\n Surfing Turtle Press, ISBN# 1936280639\n (Mar 6, 2013)",""Fedora 18 Networking and Servers"\n by Richard Petersen\n Surfing Turtle Press, ISBN# 1936280698\n (March 29, 2013)",""Fedora 14 Desktop Handbook"\n by Richard Petersen\n Surfing Turtle Press, ISBN# 1936280167\n (Nov 30, 2010)",""Fedora 14 Administration and Security"\n by Richard Petersen\n Surfing Turtle Press, ISBN# 1936280221\n (Jan 6, 2011)",""Fedora 14 Networking and Servers"\n by Richard Petersen\n Surfing Turtle Press, ISBN# 1936280191\n (Dec 26, 2010)",""Practical Guide to Ubuntu Linux (Versions 8.10 and 8.04)"\n by Mark Sobell\n Prentice Hall PTR, ISBN# 0137003889\n 2 edition (January 9, 2009)",""Fedora 10 and Red Hat Enterprise Linux Bible"\n by Christopher Negus\n Wiley, ISBN# 0470413395",""Red Hat Fedora 6 and Enterprise Linux Bible"\n by Christopher Negus\n Sams, ISBN# 047008278X",""Fedora 7 & Red Hat Enterprise Linux: The Complete Reference"\n by Richard Petersen\n Sams, ISBN# 0071486429",""Red Hat Fedora Core 6 Unleashed"\n by Paul Hudson, Andrew Hudson\n Sams, ISBN# 0672329298",""Red Hat Linux Fedora 3 Unleashed"\n by Bill Ball, Hoyt Duff\n Sams, ISBN# 0672327082",""Red Hat Linux 9 Unleashed"\n by Bill Ball, Hoyt Duff\n Sams, ISBN# 0672325888\n May 8, 2003","I have the Red Hat 6 version and I have found it to be very helpful.\n    I have found it to be way more complete than the other Linux books.\n    It is the most complete general Linux book in publication. While other\n    books in the "Unleashed" series have dissapointed me, this book\n    is the best out there.",""Apache Server Bible 2"\n by Mohammed J. Kabir\n ISBN # 0764548212, Hungry Minds","This book is very complete covering all aspects in detail. Ce n'est pas\n    your basic reprint of the apache.org documents like so many others.",""Pro DNS and Bind"\n by Ronald Aitchison\n Apress, ISBN# 1590594940","Click to rate this post!\n \n [Total: 0 Average: 0]"],"content_blocks":[{"id":"text-1","type":"text","heading":"","plain_text":"Prérequis du site Web:","html":"

Prérequis du site Web:

"},{"id":"text-2","type":"text","heading":"","plain_text":"Ce tutoriel suppose que Linux est installé et fonctionne sur un ordinateur.\nVoir Installation de RedHat\npour les bases. Une connexion à Internet est également supposée.\nUne connexion de 128 Mbits / s ou plus donnera les meilleurs résultats.\nISDN, DSL, modem câble ou mieux sont tous appropriés.\nUn modem 56k fonctionnera mais les résultats seront au mieux médiocres.\nLes tâches doivent également être effectuées avec le nom d'utilisateur et le mot de passe de l'utilisateur root.","html":"

Ce tutoriel suppose que Linux est installé et fonctionne sur un ordinateur.\nVoir Installation de RedHat\npour les bases. Une connexion à Internet est également supposée.\nUne connexion de 128 Mbits / s ou plus donnera les meilleurs résultats.\nISDN, DSL, modem câble ou mieux sont tous appropriés.\nUn modem 56k fonctionnera mais les résultats seront au mieux médiocres.\nLes tâches doivent également être effectuées avec le nom d'utilisateur et le mot de passe de l'utilisateur root.

"},{"id":"text-3","type":"text","heading":"","plain_text":"Aucune distribution ne semble avoir un avantage. Une distribution Ubuntu, SuSe, Fedora, Red Hat ou CentOS inclura tous les logiciels dont vous aurez besoin pour configurer un serveur Web.\nSi vous utilisez Red Hat Enterprise Linux, l'édition Workstation ou Server répondra à vos besoins, à l'exception du fait que l'édition Workstation n'inclura pas le package vsFTP. Il devra être compilé à partir de la source ou utiliser sftp.","html":"

Aucune distribution ne semble avoir un avantage. Une distribution Ubuntu, SuSe, Fedora, Red Hat ou CentOS inclura tous les logiciels dont vous aurez besoin pour configurer un serveur Web.\nSi vous utilisez Red Hat Enterprise Linux, l'édition Workstation ou Server répondra à vos besoins, à l'exception du fait que l'édition Workstation n'inclura pas le package vsFTP. Il devra être compilé à partir de la source ou utiliser sftp.

"},{"id":"text-4","type":"text","heading":"","plain_text":"Prérequis logiciels: Le serveur Web Apache (httpd),\nFTP (nécessite xinetd ou inetd)\net Bind (nommé)\nles progiciels avec leurs dépendances sont tous nécessaires.\nOn peut utiliser le rpm commande pour vérifier l'installation:","html":"

Prérequis logiciels: Le serveur Web Apache (httpd),\nFTP (nécessite xinetd ou inetd)\net Bind (nommé)\nles progiciels avec leurs dépendances sont tous nécessaires.\nOn peut utiliser le rpm commande pour vérifier l'installation:

"},{"id":"text-5","type":"text","heading":"","plain_text":"Fedora Core 1+, Red Hat Enterprise 4/5, CentOS 4/5:","html":"

Fedora Core 1+, Red Hat Enterprise 4/5, CentOS 4/5:

"},{"id":"text-6","type":"text","heading":"","plain_text":"rpm -q httpd bind bind-chroot bind-utils system-config-bind xinetd vsftpd\n \n RPM ajoutés FC2 +: system-config-httpd\n RPM ajoutés FC3 +: httpd-suexec","html":"

rpm -q httpd bind bind-chroot bind-utils system-config-bind xinetd vsftpd\n \n RPM ajoutés FC2 +: system-config-httpd\n RPM ajoutés FC3 +: httpd-suexec

"},{"id":"text-7","type":"text","heading":"","plain_text":"Chapeau rouge 9.0\n rpm -q httpd lier xinetd vsftpd\nUn RPM wu-ftpd Red Hat 8.0 peut être installé (version plus récente, version 2.6.2 ou ultérieure, avec correctif de sécurité). wu-ftpd-2.6.2-11) ou installer à partir de la source (rev 14).","html":"

Chapeau rouge 9.0\n rpm -q httpd lier xinetd vsftpd\nUn RPM wu-ftpd Red Hat 8.0 peut être installé (version plus récente, version 2.6.2 ou ultérieure, avec correctif de sécurité). wu-ftpd-2.6.2-11) ou installer à partir de la source (rev 14).

"},{"id":"text-8","type":"text","heading":"","plain_text":"Red Hat 8.0\n rpm -q httpd lie xinetd wu-ftpd","html":"

Red Hat 8.0\n rpm -q httpd lie xinetd wu-ftpd

"},{"id":"text-9","type":"text","heading":"","plain_text":"Red Hat 7.x:\n rpm -q apache bind inetd wu-ftpd\nUtilisez wu-ftpd version 2.6.2 ou ultérieure pour éviter les problèmes de sécurité.","html":"

Red Hat 7.x:\n rpm -q apache bind inetd wu-ftpd\nUtilisez wu-ftpd version 2.6.2 ou ultérieure pour éviter les problèmes de sécurité.

"},{"id":"text-10","type":"text","heading":"","plain_text":"SuSE 9.3:\n rpm -ivh apache2 apache2-prefork lier lier-chrootenv lier-utils vsftpd\nRemarque: apache2-MPM est un terme générique désignant les options d'installation d'Apache.\npour "Modules de traitement multiple (MPM)", "prefork" ou "worker". Si vous essayez\net installez uniquement apache2, vous obtiendrez l’erreur suivante:\n apache2-MPM est nécessaire pour apache2-2.0.53-9\nVoir aussi Apache.org: MPMs","html":"

SuSE 9.3:\n rpm -ivh apache2 apache2-prefork lier lier-chrootenv lier-utils vsftpd\nRemarque: apache2-MPM est un terme générique désignant les options d'installation d'Apache.\npour "Modules de traitement multiple (MPM)", "prefork" ou "worker". Si vous essayez\net installez uniquement apache2, vous obtiendrez l’erreur suivante:\n apache2-MPM est nécessaire pour apache2-2.0.53-9\nVoir aussi Apache.org: MPMs

"},{"id":"text-11","type":"text","heading":"","plain_text":"Ubuntu (natty 11.04 / 14.04) / Debian:","html":"

Ubuntu (natty 11.04 / 14.04) / Debian:

"},{"id":"text-12","type":"text","heading":"","plain_text":"apt-get install apache2\n   apt-get install bind9\n   apt-get install vsftpd","html":"

apt-get install apache2\n   apt-get install bind9\n   apt-get install vsftpd

"},{"id":"text-13","type":"text","heading":"","plain_text":"Ubuntu (dapper 6.06 / hardy 8.04) / Debian:","html":"

Ubuntu (dapper 6.06 / hardy 8.04) / Debian:

"},{"id":"text-14","type":"text","heading":"","plain_text":"apt-get install apache2 apache2 commun apache2-mpm-prefork apache2-utils\n   apt-get install bind9\n   apt-get install vsftpd","html":"

apt-get install apache2 apache2 commun apache2-mpm-prefork apache2-utils\n   apt-get install bind9\n   apt-get install vsftpd

"},{"id":"text-15","type":"text","heading":"","plain_text":"Vous devez également avoir une connaissance pratique du processus init Linux afin que ces services soient lancés au démarrage du système.\nConsultez le tutoriel sur le processus d'initialisation YoLinux pour plus d'informations.","html":"

Vous devez également avoir une connaissance pratique du processus init Linux afin que ces services soient lancés au démarrage du système.\nConsultez le tutoriel sur le processus d'initialisation YoLinux pour plus d'informations.

"},{"id":"text-16","type":"text","heading":"","plain_text":"Configuration du serveur Web HTTP Apache:","html":"

Configuration du serveur Web HTTP Apache:

"},{"id":"text-17","type":"text","heading":"","plain_text":"Le fichier de configuration du serveur Web Apache est: /etc/httpd/conf/httpd.conf","html":"

Le fichier de configuration du serveur Web Apache est: /etc/httpd/conf/httpd.conf

"},{"id":"text-18","type":"text","heading":"","plain_text":"Les pages Web sont servies à partir de l'annuaire tel que configuré par le\n DocumentRoot directif. L'emplacement du répertoire par défaut est:","html":"

Les pages Web sont servies à partir de l'annuaire tel que configuré par le\n DocumentRoot directif. L'emplacement du répertoire par défaut est:

"},{"id":"text-19","type":"text","heading":"","plain_text":"Distribution Linux\nServeur Web Apache "DocumentRoot"","html":"

Distribution Linux\nServeur Web Apache "DocumentRoot"

"},{"id":"text-20","type":"text","heading":"","plain_text":"Red Hat 7.x-9, Fedora Core, Red Hat Enterprise 4/5/6, CentOS 4/5/6\n / var / www / html /","html":"

Red Hat 7.x-9, Fedora Core, Red Hat Enterprise 4/5/6, CentOS 4/5/6\n / var / www / html /

"},{"id":"text-21","type":"text","heading":"","plain_text":"Red Hat 6.x et plus\n / home / httpd / html /","html":"

Red Hat 6.x et plus\n / home / httpd / html /

"},{"id":"text-22","type":"text","heading":"","plain_text":"Suse 9.x\n / srv / www / htdocs /","html":"

Suse 9.x\n / srv / www / htdocs /

"},{"id":"text-23","type":"text","heading":"","plain_text":"Ubuntu (dapper 6.06) / Debian\n / var / www / html","html":"

Ubuntu (dapper 6.06) / Debian\n / var / www / html

"},{"id":"text-24","type":"text","heading":"","plain_text":"Ubuntu (hardy 8.04 / natty 11.04 / fidèle 14.04) / Debian\n / var / www","html":"

Ubuntu (hardy 8.04 / natty 11.04 / fidèle 14.04) / Debian\n / var / www

"},{"id":"text-25","type":"text","heading":"","plain_text":"La page d'accueil par défaut pour la configuration par défaut est index.html.\nNotez que les pages ne doivent pas appartenir à l'utilisateur apache comme c'est le\npropriétaire du processus du démon du serveur Web httpd. Si le processus du serveur Web est\ncompromis, il ne devrait pas être autorisé à modifier les fichiers. Les fichiers\ndevrait bien sûr être lisible par l'utilisateur apache.","html":"

La page d'accueil par défaut pour la configuration par défaut est index.html.\nNotez que les pages ne doivent pas appartenir à l'utilisateur apache comme c'est le\npropriétaire du processus du démon du serveur Web httpd. Si le processus du serveur Web est\ncompromis, il ne devrait pas être autorisé à modifier les fichiers. Les fichiers\ndevrait bien sûr être lisible par l'utilisateur apache.

"},{"id":"text-26","type":"text","heading":"","plain_text":"Apache peut être configuré pour s'exécuter de cette manière en tant qu'hôte pour un site Web.\nou il peut être configuré pour servir pour plusieurs domaines. Servir pour plusieurs\nLes domaines peuvent être atteints de deux manières:","html":"

Apache peut être configuré pour s'exécuter de cette manière en tant qu'hôte pour un site Web.\nou il peut être configuré pour servir pour plusieurs domaines. Servir pour plusieurs\nLes domaines peuvent être atteints de deux manières:

"},{"id":"text-27","type":"text","heading":"","plain_text":"Hôtes virtuels: Une adresse IP mais plusieurs domaines – Hébergement virtuel "basé sur le nom".","html":"

Hôtes virtuels: Une adresse IP mais plusieurs domaines – Hébergement virtuel "basé sur le nom".

"},{"id":"text-28","type":"text","heading":"","plain_text":"Plusieurs hôtes virtuels basés sur IP: Une adresse IP pour chaque domaine – Hébergement virtuel "basé sur IP".","html":"

Plusieurs hôtes virtuels basés sur IP: Une adresse IP pour chaque domaine – Hébergement virtuel "basé sur IP".

"},{"id":"text-29","type":"text","heading":"","plain_text":"La configuration par défaut permettra à l'un d'avoir plusieurs comptes d'utilisateurs\nsous un domaine en utilisant une référence au compte d'utilisateur:\n http: // www.domain.com/ ~ utilisateur1 /.\nSi aucun domaine n'est enregistré ou configuré, l'adresse IP peut également être utilisée:\n http: //XXX.XXX.XXX.XXX/ ~ utilisateur1 /.","html":"

La configuration par défaut permettra à l'un d'avoir plusieurs comptes d'utilisateurs\nsous un domaine en utilisant une référence au compte d'utilisateur:\n http: // www.domain.com/ ~ utilisateur1 /.\nSi aucun domaine n'est enregistré ou configuré, l'adresse IP peut également être utilisée:\n http: //XXX.XXX.XXX.XXX/ ~ utilisateur1 /.

"},{"id":"text-30","type":"text","heading":"","plain_text":"[Potential Pitfall] \nLe umask par défaut pour la création de répertoire est correct par défaut mais s'il ne l'est pas, utilisez:\n chmod 755 / home /utilisateur1/ public_html","html":"

[Potential Pitfall] \nLe umask par défaut pour la création de répertoire est correct par défaut mais s'il ne l'est pas, utilisez:\n chmod 755 / home /utilisateur1/ public_html

"},{"id":"text-31","type":"text","heading":"","plain_text":"[Potential Pitfall] Lors de la création de "Annuaire"\ndirectives de configuration,\nJ'ai trouvé que les placer par l'existant "Annuaire"directives\nêtre une mauvaise idée.\nIl n'utiliserait pas le .htaccess fichier. C'était parce que la déclaration\ndéfinir l'utilisation de la .htaccess le fichier était après la\n"Annuaire"déclaration. Précédemment dans RH 6.x\nles fichiers ont été séparés et l'ordre a été défini un peu différent.\nJe place maintenant de nouveaux "Annuaire"déclarations vers la fin du fichier juste\navant le "VirtualHost"déclarations.","html":"

[Potential Pitfall] Lors de la création de "Annuaire"\ndirectives de configuration,\nJ'ai trouvé que les placer par l'existant "Annuaire"directives\nêtre une mauvaise idée.\nIl n'utiliserait pas le .htaccess fichier. C'était parce que la déclaration\ndéfinir l'utilisation de la .htaccess le fichier était après la\n"Annuaire"déclaration. Précédemment dans RH 6.x\nles fichiers ont été séparés et l'ordre a été défini un peu différent.\nJe place maintenant de nouveaux "Annuaire"déclarations vers la fin du fichier juste\navant le "VirtualHost"déclarations.

"},{"id":"text-32","type":"text","heading":"","plain_text":"Pour les utilisateurs de Red Hat 7.1, l'outil de configuration de l'interface graphique apacheconf\na été introduit pour la foule qui aime utiliser de jolis outils de pointer et cliquer.","html":"

Pour les utilisateurs de Red Hat 7.1, l'outil de configuration de l'interface graphique apacheconf\na été introduit pour la foule qui aime utiliser de jolis outils de pointer et cliquer.

"},{"id":"text-33","type":"text","heading":"","plain_text":"Fichiers utilisés par Apache:","html":"

Fichiers utilisés par Apache:

"},{"id":"text-34","type":"text","heading":"","plain_text":"Script de démarrage / arrêt / redémarrage:","html":"

Script de démarrage / arrêt / redémarrage:

"},{"id":"text-35","type":"text","heading":"","plain_text":"Red Hat / Fedora / CentOS: /etc/rc.d/init.d/httpd\n \nSuSE 9.3: /etc/init.d/apache2\n \nUbuntu (dapper 6.06 / hardy 8.04 / natty 11.04 / trusty 14.04) / Debian: /etc/init.d/apache2","html":"

Red Hat / Fedora / CentOS: /etc/rc.d/init.d/httpd\n \nSuSE 9.3: /etc/init.d/apache2\n \nUbuntu (dapper 6.06 / hardy 8.04 / natty 11.04 / trusty 14.04) / Debian: /etc/init.d/apache2

"},{"id":"text-36","type":"text","heading":"","plain_text":"Fichier de configuration principal Apache:","html":"

Fichier de configuration principal Apache:

"},{"id":"text-37","type":"text","heading":"","plain_text":"Red Hat / Fedora / CentOS: /etc/httpd/conf/httpd.conf\n \nSuSE: /etc/apache2/httpd.conf\n (Nécessité d'ajouter une directive: Nom du serveur nom d'hôte)\n \nUbuntu (dapper 6.06 / hardy 8.04 / natty 11.04 / trusty 14.04) / Debian: /etc/apache2/apache2.conf","html":"

Red Hat / Fedora / CentOS: /etc/httpd/conf/httpd.conf\n \nSuSE: /etc/apache2/httpd.conf\n (Nécessité d'ajouter une directive: Nom du serveur nom d'hôte)\n \nUbuntu (dapper 6.06 / hardy 8.04 / natty 11.04 / trusty 14.04) / Debian: /etc/apache2/apache2.conf

"},{"id":"text-38","type":"text","heading":"","plain_text":"Fichiers de configuration supplémentaires Apache:","html":"

Fichiers de configuration supplémentaires Apache:

"},{"id":"text-39","type":"text","heading":"","plain_text":"Red Hat / Fedora / CentOS: /etc/httpd/conf.d/composant.conf\n \nSuSE: /etc/apache2/conf.d/composant.conf\n \nUbuntu (dapper 6.06 / hardy 8.04 / natty 11.04 / trusty 14.04) / Debian:","html":"

Red Hat / Fedora / CentOS: /etc/httpd/conf.d/composant.conf\n \nSuSE: /etc/apache2/conf.d/composant.conf\n \nUbuntu (dapper 6.06 / hardy 8.04 / natty 11.04 / trusty 14.04) / Debian:

"},{"id":"text-40","type":"text","heading":"","plain_text":"Domaines virtuels: / etc / apache2 / sites-enabled /domaine\n (Créer un lien symbolique à partir de / etc / apache2 / sites-enabled /domaine à / etc / apache2 / sites-available /domaine pour allumer. Utiliser la commande a2ensite)\n \nDirectives de configuration supplémentaires: /etc/apache2/conf.d/\n \nModules à charger: / etc / apache2 / mods-available /\n (Lien symbolique vers / etc / apache2 / mods-enabled / pour allumer)\n \nPorts à écouter: /etc/apache2/ports.conf","html":"

Domaines virtuels: / etc / apache2 / sites-enabled /domaine\n (Créer un lien symbolique à partir de / etc / apache2 / sites-enabled /domaine à / etc / apache2 / sites-available /domaine pour allumer. Utiliser la commande a2ensite)\n \nDirectives de configuration supplémentaires: /etc/apache2/conf.d/\n \nModules à charger: / etc / apache2 / mods-available /\n (Lien symbolique vers / etc / apache2 / mods-enabled / pour allumer)\n \nPorts à écouter: /etc/apache2/ports.conf

"},{"id":"text-41","type":"text","heading":"","plain_text":"/ var / log / httpd / access_log et error_log –\n    Fichiers journaux Apache Red Hat / Fedora Core\n (Suse: / var / log / apache2 /)","html":"

/ var / log / httpd / access_log et error_log –\n    Fichiers journaux Apache Red Hat / Fedora Core\n (Suse: / var / log / apache2 /)

"},{"id":"text-42","type":"text","heading":"","plain_text":"Démarrer / Arrêter / Redémarrer les scripts:\nLe script doit être exécuté avec les qualificatifs début, Arrêtez,\n redémarrer ou statut.\n c'est à dire.\n /etc/rc.d/init.d/httpd restart. Un redémarrage permet au serveur Web\npour redémarrer et lire les fichiers de configuration pour prendre en compte les modifications.\nPour que ce script soit appelé au démarrage du système, lancez la commande\n chkconfig --add httpd.\nVoir le tutoriel sur le processus Linux Init pour\nune discussion plus complète.","html":"

Démarrer / Arrêter / Redémarrer les scripts:\nLe script doit être exécuté avec les qualificatifs début, Arrêtez,\n redémarrer ou statut.\n c'est à dire.\n /etc/rc.d/init.d/httpd restart. Un redémarrage permet au serveur Web\npour redémarrer et lire les fichiers de configuration pour prendre en compte les modifications.\nPour que ce script soit appelé au démarrage du système, lancez la commande\n chkconfig --add httpd.\nVoir le tutoriel sur le processus Linux Init pour\nune discussion plus complète.

"},{"id":"text-43","type":"text","heading":"","plain_text":"Aussi outil de contrôle Apache: / usr / sbin / apachectl start","html":"

Aussi outil de contrôle Apache: / usr / sbin / apachectl start

"},{"id":"text-44","type":"text","heading":"","plain_text":"Apache Control Command: apachectl:","html":"

Apache Control Command: apachectl:

"},{"id":"text-45","type":"text","heading":"","plain_text":"Red Hat / Fedora Core / CentOS: apachectl directif","html":"

Red Hat / Fedora Core / CentOS: apachectl directif

"},{"id":"text-46","type":"text","heading":"","plain_text":"Ubuntu dapper 6.06 / hardy 8.04 / natty 11.04 / trusty 14.04 / Debian: apachectl (lien logiciel vers apache2ctl) ou apache2ctl directif","html":"

Ubuntu dapper 6.06 / hardy 8.04 / natty 11.04 / trusty 14.04 / Debian: apachectl (lien logiciel vers apache2ctl) ou apache2ctl directif

"},{"id":"text-47","type":"text","heading":"","plain_text":"Directif\nLa description","html":"

Directif\nLa description

"},{"id":"text-48","type":"text","heading":"","plain_text":"début\nDémarrez le démon Apache httpd. Donne une erreur s'il est déjà en cours d'exécution.","html":"

début\nDémarrez le démon Apache httpd. Donne une erreur s'il est déjà en cours d'exécution.

"},{"id":"text-49","type":"text","heading":"","plain_text":"Arrêtez\nArrête le démon Apache httpd.","html":"

Arrêtez\nArrête le démon Apache httpd.

"},{"id":"text-50","type":"text","heading":"","plain_text":"gracieux\nRedémarre gracieusement le démon Apache httpd. Si la\nle démon n'est pas en cours d'exécution, il est démarré. Cela diffère d'une normale\nredémarrer en ce que les connexions actuellement ouvertes ne sont pas abandonnées.","html":"

gracieux\nRedémarre gracieusement le démon Apache httpd. Si la\nle démon n'est pas en cours d'exécution, il est démarré. Cela diffère d'une normale\nredémarrer en ce que les connexions actuellement ouvertes ne sont pas abandonnées.

"},{"id":"text-51","type":"text","heading":"","plain_text":"gracieux-stop\nArrête gracieusement le démon Apache httpd. Cela diffère d'une normale\nredémarrer en ce que les connexions actuellement ouvertes ne sont pas abandonnées.","html":"

gracieux-stop\nArrête gracieusement le démon Apache httpd. Cela diffère d'une normale\nredémarrer en ce que les connexions actuellement ouvertes ne sont pas abandonnées.

"},{"id":"text-52","type":"text","heading":"","plain_text":"redémarrer\nRedémarre le démon httpd Apache. Si le démon est\nne marche pas, c'est commencé. Cette commande vérifie automatiquement la\nfichiers de configuration comme dans configtest avant de lancer le redémarrage\nassurez-vous que le démon ne meurt pas.","html":"

redémarrer\nRedémarre le démon httpd Apache. Si le démon est\nne marche pas, c'est commencé. Cette commande vérifie automatiquement la\nfichiers de configuration comme dans configtest avant de lancer le redémarrage\nassurez-vous que le démon ne meurt pas.

"},{"id":"text-53","type":"text","heading":"","plain_text":"statut\nAffiche un bref rapport de statut.","html":"

statut\nAffiche un bref rapport de statut.

"},{"id":"text-54","type":"text","heading":"","plain_text":"statut complet\nAffiche un rapport d'état complet de\nétat_modal. Requiert l'activation de mod_status sur votre serveur et une base de données textuelle\nnavigateur tel que Lynx disponible sur votre système. L'URL utilisée pour accéder\nle rapport d'état peut être défini en modifiant la variable STATUSURL dans le\nscénario.","html":"

statut complet\nAffiche un rapport d'état complet de\nétat_modal. Requiert l'activation de mod_status sur votre serveur et une base de données textuelle\nnavigateur tel que Lynx disponible sur votre système. L'URL utilisée pour accéder\nle rapport d'état peut être défini en modifiant la variable STATUSURL dans le\nscénario.

"},{"id":"text-55","type":"text","heading":"","plain_text":"configtest-t\nExécutez un test de syntaxe du fichier de configuration.","html":"

configtest-t\nExécutez un test de syntaxe du fichier de configuration.

"},{"id":"text-56","type":"text","heading":"","plain_text":"Outil de contrôle Apache: apachectl – page de manuel","html":"

Outil de contrôle Apache: apachectl – page de manuel

"},{"id":"text-57","type":"text","heading":"","plain_text":"Fichiers de configuration Apache:","html":"

Fichiers de configuration Apache:

"},{"id":"text-58","type":"text","heading":"","plain_text":"/etc/httpd/conf/httpd.conf: est utilisé pour configurer Apache.\nDans le passé, il était divisé en trois fichiers. Ceux-ci peuvent maintenant être tous\nconcaténés dans un fichier.\nVoir la documentation en ligne Apache\npour le manuel complet.","html":"

/etc/httpd/conf/httpd.conf: est utilisé pour configurer Apache.\nDans le passé, il était divisé en trois fichiers. Ceux-ci peuvent maintenant être tous\nconcaténés dans un fichier.\nVoir la documentation en ligne Apache\npour le manuel complet.

"},{"id":"text-59","type":"text","heading":"","plain_text":"/etc/httpd/conf.d/application.conf: Tous les fichiers de configuration\n    dans ce répertoire sont inclus lors du démarrage d’Apache. Utilisé pour stocker des configurations spécifiques à une application.","html":"

/etc/httpd/conf.d/application.conf: Tous les fichiers de configuration\n    dans ce répertoire sont inclus lors du démarrage d’Apache. Utilisé pour stocker des configurations spécifiques à une application.

"},{"id":"text-60","type":"text","heading":"","plain_text":"/ etc / sysconfig / httpd: Contient les variables d'environnement utilisées lors du démarrage d'Apache.","html":"

/ etc / sysconfig / httpd: Contient les variables d'environnement utilisées lors du démarrage d'Apache.

"},{"id":"text-61","type":"text","heading":"","plain_text":"Paramètres de base: Changer la valeur par défaut pour NomServeur www. <votre-domaine.com>","html":"

Paramètres de base: Changer la valeur par défaut pour NomServeur www. <votre-domaine.com>

"},{"id":"text-62","type":"text","heading":"","plain_text":"Autoriser Apache à accéder au système de fichiers: Il est prudent de limiter Apache\nvue du système de fichiers uniquement aux répertoires nécessaires. Ceci est fait avec\nla déclaration de répertoire.\nCommencez par refuser l'accès à tout, puis accordez l'accès aux ressources nécessaires.\ndes répertoires.","html":"

Autoriser Apache à accéder au système de fichiers: Il est prudent de limiter Apache\nvue du système de fichiers uniquement aux répertoires nécessaires. Ceci est fait avec\nla déclaration de répertoire.\nCommencez par refuser l'accès à tout, puis accordez l'accès aux ressources nécessaires.\ndes répertoires.

"},{"id":"text-63","type":"text","heading":"","plain_text":"Refuser complètement l'accès à la racine du système de fichiers ("/") par défaut:","html":"

Refuser complètement l'accès à la racine du système de fichiers ("/") par défaut:

"},{"id":"text-64","type":"text","heading":"","plain_text":"Commencez par refuser, puis accordez les autorisations:","html":"

Commencez par refuser, puis accordez les autorisations:

"},{"id":"text-65","type":"text","heading":"","plain_text":"Options Aucune\n   AllowOverride None","html":"

Options Aucune\n   AllowOverride None

"},{"id":"text-66","type":"text","heading":"","plain_text":"Définissez l'emplacement par défaut des pages Web du système et autorisez l'accès: (Red Hat / Fedora / CentOS)","html":"

Définissez l'emplacement par défaut des pages Web du système et autorisez l'accès: (Red Hat / Fedora / CentOS)

"},{"id":"text-67","type":"text","heading":"","plain_text":"DocumentRoot "/ var / www / html"","html":"

DocumentRoot "/ var / www / html"

"},{"id":"text-68","type":"text","heading":"","plain_text":"Index des options FollowSymLinks\n   AllowOverride None\n   Ordre permettre, refuser\n   Autoriser de tous\n   Exiger tout accordé - Ceci est requis pour Apache 2.4+","html":"

Index des options FollowSymLinks\n   AllowOverride None\n   Ordre permettre, refuser\n   Autoriser de tous\n   Exiger tout accordé - Ceci est requis pour Apache 2.4+

"},{"id":"text-69","type":"text","heading":"","plain_text":"Note: la directive "Exiger tout accordé"est nouveau depuis Apache httpd 2.4.3.","html":"

Note: la directive "Exiger tout accordé"est nouveau depuis Apache httpd 2.4.3.

"},{"id":"text-70","type":"text","heading":"","plain_text":"Le comportement hérité peut être obtenu avec la commande: sudo a2enmod access_compat\nAccorder l'accès au répertoire Web d'un utilisateur: public_html","html":"

Le comportement hérité peut être obtenu avec la commande: sudo a2enmod access_compat\nAccorder l'accès au répertoire Web d'un utilisateur: public_html

"},{"id":"text-71","type":"text","heading":"","plain_text":"Activation de Red Hat / Fedora Linux, Apache public_html accès au répertoire utilisateur:\nCela permettra aux utilisateurs de servir le contenu de leurs répertoires personnels dans le sous-répertoire "/maison/identifiant d'utilisateur/ public_html /"en accédant à l'URL http: //nom d'hôte/ ~ userid /","html":"

Activation de Red Hat / Fedora Linux, Apache public_html accès au répertoire utilisateur:\nCela permettra aux utilisateurs de servir le contenu de leurs répertoires personnels dans le sous-répertoire "/maison/identifiant d'utilisateur/ public_html /"en accédant à l'URL http: //nom d'hôte/ ~ userid /

"},{"id":"text-72","type":"text","heading":"","plain_text":"Fichier: /etc/httpd/conf/httpd.conf","html":"

Fichier: /etc/httpd/conf/httpd.conf

"},{"id":"text-73","type":"text","heading":"","plain_text":"LoadModule userdir_module modules / mod_userdir.so","html":"

LoadModule userdir_module modules / mod_userdir.so

"},{"id":"text-74","type":"text","heading":"","plain_text":"...\n...","html":"

...\n...

"},{"id":"text-75","type":"text","heading":"","plain_text":"#UserDir disable - Ajoute un commentaire à cette ligne\n #\n    # Pour permettre aux requêtes à / ~ utilisateur / de servir le public_html de l'utilisateur\n    # répertoire, supprimez la ligne "UserDir disable" ci-dessus et supprimez le commentaire\n    # la ligne suivante à la place:\n UserDir public_html # Décommenter cette ligne","html":"

#UserDir disable - Ajoute un commentaire à cette ligne\n #\n    # Pour permettre aux requêtes à / ~ utilisateur / de servir le public_html de l'utilisateur\n    # répertoire, supprimez la ligne "UserDir disable" ci-dessus et supprimez le commentaire\n    # la ligne suivante à la place:\n UserDir public_html # Décommenter cette ligne

"},{"id":"text-76","type":"text","heading":"","plain_text":"...\n...","html":"

...\n...

"},{"id":"text-77","type":"text","heading":"","plain_text":"AllowOverride FileInfo AuthConfig Limit\n    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec\n \n Ordre permettre, refuser\n        Autoriser de tous\n \n \n \n \n \n Ordre nier, permettre\n        Refuser à tous","html":"

AllowOverride FileInfo AuthConfig Limit\n    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec\n \n Ordre permettre, refuser\n        Autoriser de tous\n \n \n \n \n \n Ordre nier, permettre\n        Refuser à tous

"},{"id":"text-78","type":"text","heading":"","plain_text":"Passer à un commentaire (ajouter "#" au début de la ligne) à partir de Fedora Core par défaut UserDir désactiver et assigner le répertoire public_html en tant que répertoire accessible du serveur Web.\n OU\n Attribuez à un seul utilisateur la possibilité spécifique de partager son répertoire:","html":"

Passer à un commentaire (ajouter "#" au début de la ligne) à partir de Fedora Core par défaut UserDir désactiver et assigner le répertoire public_html en tant que répertoire accessible du serveur Web.\n OU\n Attribuez à un seul utilisateur la possibilité spécifique de partager son répertoire:

"},{"id":"text-79","type":"text","heading":"","plain_text":"Les index des options incluent FollowSymLinks\n   AllowOverride None\n   ordre autoriser, refuser\n   permettre à tous\n   Exiger tout accordé - Ceci est requis pour Apache 2.4+","html":"

Les index des options incluent FollowSymLinks\n   AllowOverride None\n   ordre autoriser, refuser\n   permettre à tous\n   Exiger tout accordé - Ceci est requis pour Apache 2.4+

"},{"id":"text-80","type":"text","heading":"","plain_text":"Permet à l'utilisateur spécifique, "utilisateur1"seulement, la possibilité de servir le répertoire /maison/utilisateur1/ public_html /\nUtilisez également la commande SELinux pour définir le contexte de sécurité: setsebool httpd_enable_homedirs true","html":"

Permet à l'utilisateur spécifique, "utilisateur1"seulement, la possibilité de servir le répertoire /maison/utilisateur1/ public_html /\nUtilisez également la commande SELinux pour définir le contexte de sécurité: setsebool httpd_enable_homedirs true

"},{"id":"text-81","type":"text","heading":"","plain_text":"Autorisations de répertoire: Le démon du serveur Web Apache doit pouvoir lire votre site Web.\npages afin d’alimenter leur contenu sur le réseau. Utilisez un approprié\numask et protection de fichiers. Autoriser l'accès au répertoire Web: chmod ugo + rx -R public_html.\n Notez que le répertoire de l'utilisateur doit également avoir les autorisations appropriées car il est le parent de public_html.\n Autorisations par défaut sur le répertoire de l'utilisateur: ls -l / home\n drwx ------ 20 utilisateur1 utilisateur1 4096 5 mars 12:16 utilisateur1\n Autorisez l’accès au serveur Web à exploiter le répertoire parent: chmod ugo + x / home / user1\n d-wx - x - x 20 utilisateur1 utilisateur1 4096 5 mars 12:16 utilisateur1","html":"

Autorisations de répertoire: Le démon du serveur Web Apache doit pouvoir lire votre site Web.\npages afin d’alimenter leur contenu sur le réseau. Utilisez un approprié\numask et protection de fichiers. Autoriser l'accès au répertoire Web: chmod ugo + rx -R public_html.\n Notez que le répertoire de l'utilisateur doit également avoir les autorisations appropriées car il est le parent de public_html.\n Autorisations par défaut sur le répertoire de l'utilisateur: ls -l / home\n drwx ------ 20 utilisateur1 utilisateur1 4096 5 mars 12:16 utilisateur1\n Autorisez l’accès au serveur Web à exploiter le répertoire parent: chmod ugo + x / home / user1\n d-wx - x - x 20 utilisateur1 utilisateur1 4096 5 mars 12:16 utilisateur1

"},{"id":"text-82","type":"text","heading":"","plain_text":"On peut également utiliser des groupes pour contrôler les autorisations.\nVoir le tutoriel YoLinux sur la gestion des groupes.","html":"

On peut également utiliser des groupes pour contrôler les autorisations.\nVoir le tutoriel YoLinux sur la gestion des groupes.

"},{"id":"text-83","type":"text","heading":"","plain_text":"Activer Apache d'Ubuntu public_html accès au répertoire utilisateur:\nUbuntu a découpé les directives du module chargeable Apache dans le répertoire\n/ etc / apache2 / mods-available /.\nPour activer un module Apache, générez des liens symboliques vers le répertoire / etc / apache2 / sites-enabled / en utilisant les commandes a2enmod/a2dismod activer / désactiver les modules Apache.","html":"

Activer Apache d'Ubuntu public_html accès au répertoire utilisateur:\nUbuntu a découpé les directives du module chargeable Apache dans le répertoire\n/ etc / apache2 / mods-available /.\nPour activer un module Apache, générez des liens symboliques vers le répertoire / etc / apache2 / sites-enabled / en utilisant les commandes a2enmod/a2dismod activer / désactiver les modules Apache.

"},{"id":"text-84","type":"text","heading":"","plain_text":"Exemple:","html":"

Exemple:

"},{"id":"text-85","type":"text","heading":"","plain_text":"[root@node2]# a2enmod\n Une liste des modules disponibles est affichée. Entrez "userdir" comme module à activer.","html":"

[root@node2]# a2enmod\n Une liste des modules disponibles est affichée. Entrez "userdir" comme module à activer.

"},{"id":"text-86","type":"text","heading":"","plain_text":"Redémarrez Apache avec la commande suivante: /etc/init.d/apache2 force-reload","html":"

Redémarrez Apache avec la commande suivante: /etc/init.d/apache2 force-reload

"},{"id":"text-87","type":"text","heading":"","plain_text":"Remarque: Cela revient à générer manuellement les deux liens symboliques suivants:","html":"

Remarque: Cela revient à générer manuellement les deux liens symboliques suivants:

"},{"id":"text-88","type":"text","heading":"","plain_text":"ln -s /etc/apache2/mods-available/userdir.conf /etc/apache2/mods-enabled/userdir.conf","html":"

ln -s /etc/apache2/mods-available/userdir.conf /etc/apache2/mods-enabled/userdir.conf

"},{"id":"text-89","type":"text","heading":"","plain_text":"ln -s /etc/apache2/mods-available/userdir.load /etc/apache2/mods-enabled/userdir.load","html":"

ln -s /etc/apache2/mods-available/userdir.load /etc/apache2/mods-enabled/userdir.load

"},{"id":"text-90","type":"text","heading":"","plain_text":"Page de manuel: a2enmod / a2dismod","html":"

Page de manuel: a2enmod / a2dismod

"},{"id":"text-91","type":"text","heading":"","plain_text":"[Potential Pitfall]: Si le serveur Web Apache ne peut pas accéder au fichier, vous obtiendrez le message d'erreur "403 interdit" "Vous n'avez pas la permission d'accéder nom de fichier sur ce serveur. "\nNotez que les autorisations par défaut sur un répertoire utilisateur lors de sa création avec "useradd" sont les suivantes:","html":"

[Potential Pitfall]: Si le serveur Web Apache ne peut pas accéder au fichier, vous obtiendrez le message d'erreur "403 interdit" "Vous n'avez pas la permission d'accéder nom de fichier sur ce serveur. "\nNotez que les autorisations par défaut sur un répertoire utilisateur lors de sa création avec "useradd" sont les suivantes:

"},{"id":"text-92","type":"text","heading":"","plain_text":"drwx ------ 3 userx userx\nVous devez autoriser le serveur Web exécuté en tant qu'utilisateur "apache" à accéder au répertoire s'il doit afficher les pages qu'il contient.","html":"

drwx ------ 3 userx userx\nVous devez autoriser le serveur Web exécuté en tant qu'utilisateur "apache" à accéder au répertoire s'il doit afficher les pages qu'il contient.

"},{"id":"text-93","type":"text","heading":"","plain_text":"Correction avec la commande: chmod ugo + rx / home / userx","html":"

Correction avec la commande: chmod ugo + rx / home / userx

"},{"id":"text-94","type":"text","heading":"","plain_text":"drwxr-xr-x 3 userx userx","html":"

drwxr-xr-x 3 userx userx

"},{"id":"text-95","type":"text","heading":"","plain_text":"Ordre de fonctionnement du fichier de configuration:\nLes directives de configuration sont affectées dans l'ordre dans lequel elles sont lues.\nCeci est important sinon un comportement inattendu peut en résulter.","html":"

Ordre de fonctionnement du fichier de configuration:\nLes directives de configuration sont affectées dans l'ordre dans lequel elles sont lues.\nCeci est important sinon un comportement inattendu peut en résulter.

"},{"id":"text-96","type":"text","heading":"","plain_text":"Les fichiers de configuration Red Hat / CentOS / Fedora / AWS sont lus dans l'ordre suivant:","html":"

Les fichiers de configuration Red Hat / CentOS / Fedora / AWS sont lus dans l'ordre suivant:

"},{"id":"text-97","type":"text","heading":"","plain_text":"/etc/httpd/conf/httpd.conf\n lit les fichiers d'inclusion "Inclure conf.modules.d / *. Conf" et "IncludeOptional conf.d / *. Conf"","html":"

/etc/httpd/conf/httpd.conf\n lit les fichiers d'inclusion "Inclure conf.modules.d / *. Conf" et "IncludeOptional conf.d / *. Conf"

"},{"id":"text-98","type":"text","heading":"","plain_text":"/etc/httpd/conf.modules/*.conf","html":"

/etc/httpd/conf.modules/*.conf

"},{"id":"text-99","type":"text","heading":"","plain_text":"/etc/httpd/conf.d/*.conf (généralement des définitions de domaine virtuel pour divers sites Web)\n Les fichiers de configuration sont lus dans l'ordre alphabétique.","html":"

/etc/httpd/conf.d/*.conf (généralement des définitions de domaine virtuel pour divers sites Web)\n Les fichiers de configuration sont lus dans l'ordre alphabétique.

"},{"id":"text-100","type":"text","heading":"","plain_text":"Les fichiers de configuration Ubuntu / Debian sont lus dans l'ordre suivant:","html":"

Les fichiers de configuration Ubuntu / Debian sont lus dans l'ordre suivant:

"},{"id":"text-101","type":"text","heading":"","plain_text":"/etc/apache2/apache2.conf\n lit les fichiers d'inclusion","html":"

/etc/apache2/apache2.conf\n lit les fichiers d'inclusion

"},{"id":"text-102","type":"text","heading":"","plain_text":"/etc/apache2/mods-enabled/*.load","html":"

/etc/apache2/mods-enabled/*.load

"},{"id":"text-103","type":"text","heading":"","plain_text":"/etc/apache2/mods-enabled/*.conf","html":"

/etc/apache2/mods-enabled/*.conf

"},{"id":"text-104","type":"text","heading":"","plain_text":"/etc/apache2/conf-enabled/*.conf","html":"

/etc/apache2/conf-enabled/*.conf

"},{"id":"text-105","type":"text","heading":"","plain_text":"/etc/apache2/sites-enabled/*.conf (généralement des définitions de domaine virtuel pour divers sites Web)\n Les fichiers de configuration sont lus dans l'ordre alphabétique.","html":"

/etc/apache2/sites-enabled/*.conf (généralement des définitions de domaine virtuel pour divers sites Web)\n Les fichiers de configuration sont lus dans l'ordre alphabétique.

"},{"id":"text-106","type":"text","heading":"","plain_text":"La valeur par défaut du serveur pour l'accès à l'aide de l'adresse IP est généralement le premier domaine défini dans "conf.d / *. conf"tel que défini par l'ordre alphabétique.\nC'est également ce que voient les pirates sur le site lors de l'analyse du réseau via des adresses IP.\nC'est souvent une malédiction d'avoir un domaine commençant par la lettre "a" car des serveurs mal configurés dirigeront tout le trafic des hackers vers ce site.\nPar conséquent, il est recommandé de générer une configuration par défaut pour l’accès aux adresses IP.","html":"

La valeur par défaut du serveur pour l'accès à l'aide de l'adresse IP est généralement le premier domaine défini dans "conf.d / *. conf"tel que défini par l'ordre alphabétique.\nC'est également ce que voient les pirates sur le site lors de l'analyse du réseau via des adresses IP.\nC'est souvent une malédiction d'avoir un domaine commençant par la lettre "a" car des serveurs mal configurés dirigeront tout le trafic des hackers vers ce site.\nPar conséquent, il est recommandé de générer une configuration par défaut pour l’accès aux adresses IP.

"},{"id":"text-107","type":"text","heading":"","plain_text":"Fichier: /etc/httpd/conf.d/1st.conf (Ubuntu: /etc/apache2/sites-enabled/1st.conf)","html":"

Fichier: /etc/httpd/conf.d/1st.conf (Ubuntu: /etc/apache2/sites-enabled/1st.conf)

"},{"id":"text-108","type":"text","heading":"","plain_text":"DirectoryIndex index.html","html":"

DirectoryIndex index.html

"},{"id":"text-109","type":"text","heading":"","plain_text":"NomServeur www4.defaultdomain.com\n    DocumentRoot / srv / www / default / html\n    ErrorLog /var/log/httpd/1st-error.log\n    TransferLog /var/log/httpd/1st-access.log\n \n Options FollowSymLinks\n        AllowOverride None\n \n \n \n \n \n Options FollowSymLinks MultiViews Inclut\n        IndexOptions SuppressLastModified SuppressDescription\n        AllowOverride All\n        Ordre permettre, refuser\n        permettre à tous","html":"

NomServeur www4.defaultdomain.com\n    DocumentRoot / srv / www / default / html\n    ErrorLog /var/log/httpd/1st-error.log\n    TransferLog /var/log/httpd/1st-access.log\n \n Options FollowSymLinks\n        AllowOverride None\n \n \n \n \n \n Options FollowSymLinks MultiViews Inclut\n        IndexOptions SuppressLastModified SuppressDescription\n        AllowOverride All\n        Ordre permettre, refuser\n        permettre à tous

"},{"id":"text-110","type":"text","heading":"","plain_text":"Page Web par défaut: /srv/www/default/html/index.html devrait être une simple page statique sans accès à la base de données ou au CMS.\nAprès tout, les seuls qui se retrouvent ici sont les pirates.\nContextes de sécurité SELinux:\nFedora Core 3 et Red Hat Enterprise Linux 4 ont introduit les règles de sécurité et les étiquettes de contexte SELinux (Security Enhanced Linux).\n \nPour afficher les étiquettes de contexte de sécurité appliquées à vos fichiers de page Web, utilisez la commande\ncommander: ls -Z\nLe système active / désactive les politiques SELinux dans le fichier. / etc / selinux / config\n SELinux peut être désactivé en définissant la directive SELINUX. (Ensuite, redémarrez le système):","html":"

Page Web par défaut: /srv/www/default/html/index.html devrait être une simple page statique sans accès à la base de données ou au CMS.\nAprès tout, les seuls qui se retrouvent ici sont les pirates.\nContextes de sécurité SELinux:\nFedora Core 3 et Red Hat Enterprise Linux 4 ont introduit les règles de sécurité et les étiquettes de contexte SELinux (Security Enhanced Linux).\n \nPour afficher les étiquettes de contexte de sécurité appliquées à vos fichiers de page Web, utilisez la commande\ncommander: ls -Z\nLe système active / désactive les politiques SELinux dans le fichier. / etc / selinux / config\n SELinux peut être désactivé en définissant la directive SELINUX. (Ensuite, redémarrez le système):

"},{"id":"text-111","type":"text","heading":"","plain_text":"SELINUX = désactivé","html":"

SELINUX = désactivé

"},{"id":"text-112","type":"text","heading":"","plain_text":"ou en utilisant la commande setenforce 0 désactiver temporairement SELinux jusqu'au prochain redémarrage.","html":"

ou en utilisant la commande setenforce 0 désactiver temporairement SELinux jusqu'au prochain redémarrage.

"},{"id":"text-113","type":"text","heading":"","plain_text":"Lorsque vous utilisez les fonctions de sécurité de SELinux,\nles étiquettes de contexte de sécurité doivent être ajoutées pour qu'Apache puisse lire vos fichiers.\nL'étiquette de contexte de sécurité par défaut utilisée est héritée du répertoire des fichiers nouvellement créés. Donc une copie (cp) doit être utilisé et non un mouvement (mv)\nlors du placement de fichiers dans le répertoire de contenu. Déplacer ne crée pas un nouveau\nfichier et donc le fichier ne reçoit pas le contexte de sécurité du répertoire\nétiquette.\nLes étiquettes de contexte utilisées pour les répertoires Apache par défaut peuvent être\nvu\navec la commande: ls -Z / var / www\n Les répertoires Web des utilisateurs (c'est-à-dire public_html) devrait\nêtre défini avec l'étiquette de contexte appropriée (httpd_sys_content_t).\n \nAttribuez un contexte de sécurité pour les pages Web: chcon -R -h -t httpd_sys_content_t / home /utilisateur1/ public_html\n Options:","html":"

Lorsque vous utilisez les fonctions de sécurité de SELinux,\nles étiquettes de contexte de sécurité doivent être ajoutées pour qu'Apache puisse lire vos fichiers.\nL'étiquette de contexte de sécurité par défaut utilisée est héritée du répertoire des fichiers nouvellement créés. Donc une copie (cp) doit être utilisé et non un mouvement (mv)\nlors du placement de fichiers dans le répertoire de contenu. Déplacer ne crée pas un nouveau\nfichier et donc le fichier ne reçoit pas le contexte de sécurité du répertoire\nétiquette.\nLes étiquettes de contexte utilisées pour les répertoires Apache par défaut peuvent être\nvu\navec la commande: ls -Z / var / www\n Les répertoires Web des utilisateurs (c'est-à-dire public_html) devrait\nêtre défini avec l'étiquette de contexte appropriée (httpd_sys_content_t).\n \nAttribuez un contexte de sécurité pour les pages Web: chcon -R -h -t httpd_sys_content_t / home /utilisateur1/ public_html\n Options:

"},{"id":"text-114","type":"text","heading":"","plain_text":"-R: récursif. Fichiers et répertoires du répertoire en cours et de tous les sous-répertoires.","html":"

-R: récursif. Fichiers et répertoires du répertoire en cours et de tous les sous-répertoires.

"},{"id":"text-115","type":"text","heading":"","plain_text":"-h: affecte les liens symboliques.","html":"

-h: affecte les liens symboliques.

"},{"id":"text-116","type":"text","heading":"","plain_text":"-t: spécifie le type de contexte de sécurité.","html":"

-t: spécifie le type de contexte de sécurité.

"},{"id":"text-117","type":"text","heading":"","plain_text":"Utilisez les contextes de sécurité suivants:","html":"

Utilisez les contextes de sécurité suivants:

"},{"id":"text-118","type":"text","heading":"","plain_text":"Type de contexte\nLa description","html":"

Type de contexte\nLa description

"},{"id":"text-119","type":"text","heading":"","plain_text":"httpd_sys_content_t\nUtilisé pour le contenu Web statique. c'est-à-dire des pages Web HTML.","html":"

httpd_sys_content_t\nUtilisé pour le contenu Web statique. c'est-à-dire des pages Web HTML.

"},{"id":"text-120","type":"text","heading":"","plain_text":"httpd_sys_script_exec_t\nUtiliser pour les scripts CGI exécutables ou les exécutables binaires.","html":"

httpd_sys_script_exec_t\nUtiliser pour les scripts CGI exécutables ou les exécutables binaires.

"},{"id":"text-121","type":"text","heading":"","plain_text":"httpd_sys_script_rw_t\nCGI est autorisé à modifier / supprimer des fichiers de ce contexte.","html":"

httpd_sys_script_rw_t\nCGI est autorisé à modifier / supprimer des fichiers de ce contexte.

"},{"id":"text-122","type":"text","heading":"","plain_text":"httpd_sys_script_ra_t\nCGI est autorisé à lire ou à annexer des fichiers de ce contexte.","html":"

httpd_sys_script_ra_t\nCGI est autorisé à lire ou à annexer des fichiers de ce contexte.

"},{"id":"text-123","type":"text","heading":"","plain_text":"httpd_sys_script_ro_t\nCGI est autorisé à lire les fichiers et les répertoires de ce contexte.","html":"

httpd_sys_script_ro_t\nCGI est autorisé à lire les fichiers et les répertoires de ce contexte.

"},{"id":"text-124","type":"text","heading":"","plain_text":"Définissez les options suivantes: setsebool httpd-option vrai\n (ou réglé sur faux)","html":"

Définissez les options suivantes: setsebool httpd-option vrai\n (ou réglé sur faux)

"},{"id":"text-125","type":"text","heading":"","plain_text":"Politique\nLa description","html":"

Politique\nLa description

"},{"id":"text-126","type":"text","heading":"","plain_text":"httpd_enable_cgi \nAutoriser le support de httpd cgi.","html":"

httpd_enable_cgi \nAutoriser le support de httpd cgi.

"},{"id":"text-127","type":"text","heading":"","plain_text":"httpd_enable_homedirs \nAutoriser httpd à lire les répertoires personnels.","html":"

httpd_enable_homedirs \nAutoriser httpd à lire les répertoires personnels.

"},{"id":"text-128","type":"text","heading":"","plain_text":"httpd_ssi_exec \nAutorisez httpd à exécuter les exécutables SSI dans le même domaine que les scripts CGI du système.","html":"

httpd_ssi_exec \nAutorisez httpd à exécuter les exécutables SSI dans le même domaine que les scripts CGI du système.

"},{"id":"text-129","type":"text","heading":"","plain_text":"Puis redémarrez Apache:","html":"

Puis redémarrez Apache:

"},{"id":"text-130","type":"text","heading":"","plain_text":"Red Hat / Fedora / Suse et tous les systèmes Linux basés sur un script d'initialisation System V: /etc/init.d/httpd restart","html":"

Red Hat / Fedora / Suse et tous les systèmes Linux basés sur un script d'initialisation System V: /etc/init.d/httpd restart

"},{"id":"text-131","type":"text","heading":"","plain_text":"Red Hat / Fedora: service httpd restart","html":"

Red Hat / Fedora: service httpd restart

"},{"id":"text-132","type":"text","heading":"","plain_text":"Les valeurs booléennes SE par défaut sont spécifiées dans le fichier: / etc / selinux / target / booleans","html":"

Les valeurs booléennes SE par défaut sont spécifiées dans le fichier: / etc / selinux / target / booleans

"},{"id":"text-133","type":"text","heading":"","plain_text":"Pour plus d’informations sur SELinux, reportez-vous au tutoriel sur l’administration de systèmes YoLinux.","html":"

Pour plus d’informations sur SELinux, reportez-vous au tutoriel sur l’administration de systèmes YoLinux.

"},{"id":"text-134","type":"text","heading":"","plain_text":"Hôtes Virtuels:\nLe serveur Web Apache permet de configurer un seul ordinateur pour représenter plusieurs sites Web comme s'ils se trouvaient sur des hôtes distincts.\nDeux méthodes sont disponibles et nous décrivons la configuration de chacune. Choisissez une méthode pour votre domaine:","html":"

Hôtes Virtuels:\nLe serveur Web Apache permet de configurer un seul ordinateur pour représenter plusieurs sites Web comme s'ils se trouvaient sur des hôtes distincts.\nDeux méthodes sont disponibles et nous décrivons la configuration de chacune. Choisissez une méthode pour votre domaine:

"},{"id":"text-135","type":"text","heading":"","plain_text":"Nom d'hôte virtuel: (le plus commun)\n    Un seul ordinateur avec une seule adresse IP prenant en charge plusieurs domaines Web.\n    Le navigateur Web utilisant le protocole http identifie le domaine en cours d’adresse.","html":"

Nom d'hôte virtuel: (le plus commun)\n    Un seul ordinateur avec une seule adresse IP prenant en charge plusieurs domaines Web.\n    Le navigateur Web utilisant le protocole http identifie le domaine en cours d’adresse.

"},{"id":"text-136","type":"text","heading":"","plain_text":"Hôte virtuel basé sur IP:\n    Les hôtes virtuels peuvent être configurés comme un seul ordinateur multi-hébergé avec plusieurs adresses IP sur une seule carte réseau, chaque adresse IP représentant un domaine Web différent.\n    Cela a l'apparence d'un domaine Web pris en charge par un ordinateur dédié car il possède une adresse IP dédiée.","html":"

Hôte virtuel basé sur IP:\n    Les hôtes virtuels peuvent être configurés comme un seul ordinateur multi-hébergé avec plusieurs adresses IP sur une seule carte réseau, chaque adresse IP représentant un domaine Web différent.\n    Cela a l'apparence d'un domaine Web pris en charge par un ordinateur dédié car il possède une adresse IP dédiée.

"},{"id":"text-137","type":"text","heading":"","plain_text":"Configuration d'un hôte virtuel "basé sur le nom":\nUne configuration d'hôte virtuel permet d'héberger plusieurs domaines de site Web sur un serveur.\n(Cela n'est pas nécessaire pour un serveur Linux dédié hébergeant un seul site Web.)","html":"

Configuration d'un hôte virtuel "basé sur le nom":\nUne configuration d'hôte virtuel permet d'héberger plusieurs domaines de site Web sur un serveur.\n(Cela n'est pas nécessaire pour un serveur Linux dédié hébergeant un seul site Web.)

"},{"id":"text-138","type":"text","heading":"","plain_text":"NameVirtualHost XXX.XXX.XXX.XXX","html":"

NameVirtualHost XXX.XXX.XXX.XXX

"},{"id":"text-139","type":"text","heading":"","plain_text":"<VirtualHost XXX.XXX.XXX.XXX>Nom du serveur www.votre-domaine.com - CNAME (alias DNS www) spécifié dans (/ var / named / ...)\n ServerAlias votre-domaine.com - Autorise les requêtes sans le préfixe "www".\n ServerAdmin utilisateur1@votre-domaine.com\n \n \n \n DocumentRoot / home /utilisateur1/ public_htmlLogs ErrorLog /votre-domaine.com-error_log\n   Journaux TransferLog /votre-domaine.com-access_log","html":"

<VirtualHost XXX.XXX.XXX.XXX>Nom du serveur www.votre-domaine.com - CNAME (alias DNS www) spécifié dans (/ var / named / ...)\n ServerAlias votre-domaine.com - Autorise les requêtes sans le préfixe "www".\n ServerAdmin utilisateur1@votre-domaine.com\n \n \n \n DocumentRoot / home /utilisateur1/ public_htmlLogs ErrorLog /votre-domaine.com-error_log\n   Journaux TransferLog /votre-domaine.com-access_log

"},{"id":"text-140","type":"text","heading":"","plain_text":"Remarques:","html":"

Remarques:

"},{"id":"text-141","type":"text","heading":"","plain_text":"Vous pouvez spécifier plusieurs adresses IP. c'est à dire si web\nserveur est également utilisé comme pare-feu / passerelle et vous avez un\nadresse IP Internet externe ainsi qu’une adresse IP de réseau local.","html":"

Vous pouvez spécifier plusieurs adresses IP. c'est à dire si web\nserveur est également utilisé comme pare-feu / passerelle et vous avez un\nadresse IP Internet externe ainsi qu’une adresse IP de réseau local.

"},{"id":"text-142","type":"text","heading":"","plain_text":"NameVirtualHost XXX.XXX.XXX.XXX","html":"

NameVirtualHost XXX.XXX.XXX.XXX

"},{"id":"text-143","type":"text","heading":"","plain_text":"NameVirtualHost 192.168.XXX.XXX","html":"

NameVirtualHost 192.168.XXX.XXX

"},{"id":"text-144","type":"text","heading":"","plain_text":"<VirtualHost XXX.XXX.XXX.XXX 192.168.XXX.XXX>\n   ...\n   ..","html":"

<VirtualHost XXX.XXX.XXX.XXX 192.168.XXX.XXX>\n   ...\n   ..

"},{"id":"text-145","type":"text","heading":"","plain_text":"Reportez-vous au didacticiel YoLinux pour configurer un routeur / pare-feu réseau avec iptables et NAT.","html":"

Reportez-vous au didacticiel YoLinux pour configurer un routeur / pare-feu réseau avec iptables et NAT.

"},{"id":"text-146","type":"text","heading":"","plain_text":"Utilisez votre adresse IP pour XXX.XXX.XXX.XXX, nom de domaine et adresse e-mail actuels.\n On peut utiliser les vues DNS pour fournir différents résultats DNS du réseau local.","html":"

Utilisez votre adresse IP pour XXX.XXX.XXX.XXX, nom de domaine et adresse e-mail actuels.\n On peut utiliser les vues DNS pour fournir différents résultats DNS du réseau local.

"},{"id":"text-147","type":"text","heading":"","plain_text":"L'adresse IP de l'hôte peut être référencée de manière générique pour fonctionner sur toutes les cartes réseau:","html":"

L'adresse IP de l'hôte peut être référencée de manière générique pour fonctionner sur toutes les cartes réseau:

"},{"id":"text-148","type":"text","heading":"","plain_text":"<VirtualHost *: 80>\n   ...\n   ..","html":"

<VirtualHost *: 80>\n   ...\n   ..

"},{"id":"text-149","type":"text","heading":"","plain_text":"Remarque Cette méthode est recommandée pour les hébergements basés sur NAT, tels qu'Amazon Web Services (AWS) EC2.","html":"

Remarque Cette méthode est recommandée pour les hébergements basés sur NAT, tels qu'Amazon Web Services (AWS) EC2.

"},{"id":"text-150","type":"text","heading":"","plain_text":"Notez que je configure Apache pour les deux demandes http: // www.nom de domaine.com et http: //nom de domaine.com.","html":"

Notez que je configure Apache pour les deux demandes http: // www.nom de domaine.com et http: //nom de domaine.com.

"},{"id":"text-151","type":"text","heading":"","plain_text":"Une fois les hôtes virtuels configurés, votre système par défaut\n    domaine (/ var / www / html) cessera de fonctionner.\n    Votre domaine par défaut doit maintenant être configuré en tant que domaine virtuel.","html":"

Une fois les hôtes virtuels configurés, votre système par défaut\n    domaine (/ var / www / html) cessera de fonctionner.\n    Votre domaine par défaut doit maintenant être configuré en tant que domaine virtuel.

"},{"id":"text-152","type":"text","heading":"","plain_text":"... Cette partie reste la même\n \n \n \n ..","html":"

... Cette partie reste la même\n \n \n \n ..

"},{"id":"text-153","type":"text","heading":"","plain_text":"# Valeur par défaut lorsque aucun nom de domaine n’est donné (accès par adresse IP, par exemple)","html":"

# Valeur par défaut lorsque aucun nom de domaine n’est donné (accès par adresse IP, par exemple)

"},{"id":"text-154","type":"text","heading":"","plain_text":"<VirtualHost *: 80>\n   ServerAdmin utilisateur1@votre-domaine.com\n \n \n \n DocumentRoot / var / www / html\n   ErrorLog logs / error_log\n   TransferLog logs / access_log","html":"

<VirtualHost *: 80>\n   ServerAdmin utilisateur1@votre-domaine.com\n \n \n \n DocumentRoot / var / www / html\n   ErrorLog logs / error_log\n   TransferLog logs / access_log

"},{"id":"text-155","type":"text","heading":"","plain_text":"# Ajoutez une définition VirtualHost pour votre domaine qui était autrefois la valeur par défaut du système.","html":"

# Ajoutez une définition VirtualHost pour votre domaine qui était autrefois la valeur par défaut du système.

"},{"id":"text-156","type":"text","heading":"","plain_text":"<VirtualHost XXX.XXX.XXX.XXX>Nom du serveur www.votre-domaine.com\n \n \n \n ServerAlias votre-domaine.com\n \n \n \n ServerAdmin utilisateur1@votre-domaine.com\n \n \n \n DocumentRoot / var / www / html\n   ErrorLog logs / error_log\n   TransferLog logs / access_log","html":"

<VirtualHost XXX.XXX.XXX.XXX>Nom du serveur www.votre-domaine.com\n \n \n \n ServerAlias votre-domaine.com\n \n \n \n ServerAdmin utilisateur1@votre-domaine.com\n \n \n \n DocumentRoot / var / www / html\n   ErrorLog logs / error_log\n   TransferLog logs / access_log

"},{"id":"text-157","type":"text","heading":"","plain_text":"...\n   ..","html":"

...\n   ..

"},{"id":"text-158","type":"text","heading":"","plain_text":"Transfert vers une URL primaire. Il est préférable d'éviter l'apparition de contenu Web dupliqué à partir de deux URL telles que http: // www.ton domaine.com et\n http: //ton domaine.com. Fournissez une "redirection" Apache de redirection.","html":"

Transfert vers une URL primaire. Il est préférable d'éviter l'apparition de contenu Web dupliqué à partir de deux URL telles que http: // www.ton domaine.com et\n http: //ton domaine.com. Fournissez une "redirection" Apache de redirection.

"},{"id":"text-159","type":"text","heading":"","plain_text":"<VirtualHost XXX.XXX.XXX.XXX>\n   Nom du serveur www.votre-domaine.com - Notez qu'aucun alias n'est répertorié\n \n \n \n ...\n   ...","html":"

<VirtualHost XXX.XXX.XXX.XXX>\n   Nom du serveur www.votre-domaine.com - Notez qu'aucun alias n'est répertorié\n \n \n \n ...\n   ...

"},{"id":"text-160","type":"text","heading":"","plain_text":"# Ajouter une définition VirtualHost à transférer à votre URL principale","html":"

# Ajouter une définition VirtualHost à transférer à votre URL principale

"},{"id":"text-161","type":"text","heading":"","plain_text":"<VirtualHost XXX.XXX.XXX.XXX>\n   Nom du serveur votre-domaine.com\n \n \n \n ServerAlias autre-domaine.com\n \n \n \n ServerAlias ​​www.autre-domaine.com\n \n \n \n Rediriger permanent / http: // www.votre-domaine.com.com /","html":"

<VirtualHost XXX.XXX.XXX.XXX>\n   Nom du serveur votre-domaine.com\n \n \n \n ServerAlias autre-domaine.com\n \n \n \n ServerAlias ​​www.autre-domaine.com\n \n \n \n Rediriger permanent / http: // www.votre-domaine.com.com /

"},{"id":"text-162","type":"text","heading":"","plain_text":"...\n   ..\n \nRemarque:","html":"

...\n   ..\n \nRemarque:

"},{"id":"text-163","type":"text","heading":"","plain_text":"Plus d'exemples d'hôte virtuel.","html":"

Plus d'exemples d'hôte virtuel.

"},{"id":"text-164","type":"text","heading":"","plain_text":"Lorsqu’ils spécifient plus de domaines, ils peuvent tous utiliser la même adresse IP ou certains / tous\npeuvent utiliser leur propre adresse IP unique.\nSpécifiez un "NameVirtualHost" pour chaque adresse IP.","html":"

Lorsqu’ils spécifient plus de domaines, ils peuvent tous utiliser la même adresse IP ou certains / tous\npeuvent utiliser leur propre adresse IP unique.\nSpécifiez un "NameVirtualHost" pour chaque adresse IP.

"},{"id":"text-165","type":"text","heading":"","plain_text":"Une fois les fichiers de configuration Apache modifiés, redémarrez le démon httpd:\n /etc/rc.d/init.d/httpd restart (Chapeau rouge) ou /etc/init.d/apache2 restart (Ubuntu / Debian)","html":"

Une fois les fichiers de configuration Apache modifiés, redémarrez le démon httpd:\n /etc/rc.d/init.d/httpd restart (Chapeau rouge) ou /etc/init.d/apache2 restart (Ubuntu / Debian)

"},{"id":"text-166","type":"text","heading":"","plain_text":"Configuration du domaine virtuel Apache avec Ubuntu:\nUbuntu sépare chaque domaine virtuel dans un fichier de configuration séparé\ntenue dans l'annuaire / etc / apache2 / sites-available /.\nLorsque le domaine du site doit devenir actif, un lien symbolique est créé vers le répertoire. / etc / apache2 / sites-enabled /.\nExemple: / etc / apache2 / sites-available / supercorp","html":"

Configuration du domaine virtuel Apache avec Ubuntu:\nUbuntu sépare chaque domaine virtuel dans un fichier de configuration séparé\ntenue dans l'annuaire / etc / apache2 / sites-available /.\nLorsque le domaine du site doit devenir actif, un lien symbolique est créé vers le répertoire. / etc / apache2 / sites-enabled /.\nExemple: / etc / apache2 / sites-available / supercorp

"},{"id":"text-167","type":"text","heading":"","plain_text":"NomServeur supercorp.com\n        ServerAlias ​​www.supercorp.com\n        Webmaster ServerAdmin @ localhost","html":"

NomServeur supercorp.com\n        ServerAlias ​​www.supercorp.com\n        Webmaster ServerAdmin @ localhost

"},{"id":"text-168","type":"text","heading":"","plain_text":"        DocumentRoot / home / supercorp / public_html / home\n \n Options FollowSymLinks\n                AllowOverride None\n \n \n \n \n \n Options Index FollowSymLinks MultiViews\n                IndexOptions SuppressLastModified SuppressDescription\n                AllowOverride All\n                Ordre permettre, refuser\n                permettre à tous\n                Exiger tout accordé - Ceci est requis pour Apache 2.4+","html":"

        DocumentRoot / home / supercorp / public_html / home\n \n Options FollowSymLinks\n                AllowOverride None\n \n \n \n \n \n Options Index FollowSymLinks MultiViews\n                IndexOptions SuppressLastModified SuppressDescription\n                AllowOverride All\n                Ordre permettre, refuser\n                permettre à tous\n                Exiger tout accordé - Ceci est requis pour Apache 2.4+

"},{"id":"text-169","type":"text","heading":"","plain_text":"ScriptAlias ​​/ cgi-bin / / home / supercorp / cgi-bin /\n \n AllowOverride None\n                Options + ExecCGI -MultiViews + SymLinksIfOwnerMatch\n                Ordre permettre, refuser\n                Autoriser de tous","html":"

ScriptAlias ​​/ cgi-bin / / home / supercorp / cgi-bin /\n \n AllowOverride None\n                Options + ExecCGI -MultiViews + SymLinksIfOwnerMatch\n                Ordre permettre, refuser\n                Autoriser de tous

"},{"id":"text-170","type":"text","heading":"","plain_text":"ErrorLog /var/log/apache2/supercorp.com-error.log","html":"

ErrorLog /var/log/apache2/supercorp.com-error.log

"},{"id":"text-171","type":"text","heading":"","plain_text":"        # Les valeurs possibles incluent: debug, info, notice, avertir, erreur,\n        # crit, alerte, émergent.\n        LogLevel avertir\n        CustomLog /var/log/apache2/supercorp.com-access.log combinés\n        ServerSignature On","html":"

        # Les valeurs possibles incluent: debug, info, notice, avertir, erreur,\n        # crit, alerte, émergent.\n        LogLevel avertir\n        CustomLog /var/log/apache2/supercorp.com-access.log combinés\n        ServerSignature On

"},{"id":"text-172","type":"text","heading":"","plain_text":"Activer le domaine:","html":"

Activer le domaine:

"},{"id":"text-173","type":"text","heading":"","plain_text":"Créer un lien symbolique:","html":"

Créer un lien symbolique:

"},{"id":"text-174","type":"text","heading":"","plain_text":"Manuellement: ln -s / etc / apache2 / sites-disponibles / supercorp / etc / apache2 / sites-enabled / supercorp\n \nUtiliser les scripts Ubuntu a2ensite/a2dissite. Tapez commande et il vous demandera quel site vous souhaitez activer ou désactiver.","html":"

Manuellement: ln -s / etc / apache2 / sites-disponibles / supercorp / etc / apache2 / sites-enabled / supercorp\n \nUtiliser les scripts Ubuntu a2ensite/a2dissite. Tapez commande et il vous demandera quel site vous souhaitez activer ou désactiver.

"},{"id":"text-175","type":"text","heading":"","plain_text":"Redémarrez Apache:","html":"

Redémarrez Apache:

"},{"id":"text-176","type":"text","heading":"","plain_text":"apachectl gracieux\n ou\n \n/etc/init.d/apache2 restart\n ou\n \n/etc/init.d/apache2 reload","html":"

apachectl gracieux\n ou\n \n/etc/init.d/apache2 restart\n ou\n \n/etc/init.d/apache2 reload

"},{"id":"text-177","type":"text","heading":"","plain_text":"Notez également que les modules Apache peuvent également être activés / désactivés avec des scripts a2enmod / a2dismod.","html":"

Notez également que les modules Apache peuvent également être activés / désactivés avec des scripts a2enmod / a2dismod.

"},{"id":"text-178","type":"text","heading":"","plain_text":"Pages de manuel:","html":"

Pages de manuel:

"},{"id":"text-179","type":"text","heading":"","plain_text":"Configuration d'un hôte virtuel "basé sur IP":\nOn peut attribuer plusieurs adresses IP à une seule interface réseau.\nVoir le tutoriel de mise en réseau YoLinux: Aliasing de réseau.\nChaque adresse IP peut alors être son propre serveur virtuel et son propre domaine.\nL’inconvénient de la méthode d’hôte virtuel "basée sur IP" est que vous devez posséder\nadresses IP multiples / supplémentaires. Cela coûte généralement plus cher.\nLa méthode d'hébergement virtuel basée sur le nom standard ci-dessus est plus populaire pour cette raison.","html":"

Configuration d'un hôte virtuel "basé sur IP":\nOn peut attribuer plusieurs adresses IP à une seule interface réseau.\nVoir le tutoriel de mise en réseau YoLinux: Aliasing de réseau.\nChaque adresse IP peut alors être son propre serveur virtuel et son propre domaine.\nL’inconvénient de la méthode d’hôte virtuel "basée sur IP" est que vous devez posséder\nadresses IP multiples / supplémentaires. Cela coûte généralement plus cher.\nLa méthode d'hébergement virtuel basée sur le nom standard ci-dessus est plus populaire pour cette raison.

"},{"id":"text-180","type":"text","heading":"","plain_text":"NameVirtualHost * - Indique toutes les adresses IP","html":"

NameVirtualHost * - Indique toutes les adresses IP

"},{"id":"text-181","type":"text","heading":"","plain_text":"<VirtualHost *>\n   ServerAdmin utilisateur0@default-domain.com\n \n \n \n DocumentRoot / home /utilisateur0/ public_html","html":"

<VirtualHost *>\n   ServerAdmin utilisateur0@default-domain.com\n \n \n \n DocumentRoot / home /utilisateur0/ public_html

"},{"id":"text-182","type":"text","heading":"","plain_text":"<VirtualHost XXX.XXX.XXX.101>\n   ServerAdmin utilisateur1@domain-1.com\n \n \n \n DocumentRoot / home /utilisateur1/ public_html","html":"

<VirtualHost XXX.XXX.XXX.101>\n   ServerAdmin utilisateur1@domain-1.com\n \n \n \n DocumentRoot / home /utilisateur1/ public_html

"},{"id":"text-183","type":"text","heading":"","plain_text":"<VirtualHost XXX.XXX.XXX.102>\n   ServerAdmin utilisateur1@domain-2.com\n \n \n \n DocumentRoot / home /utilisateur2/ public_html","html":"

<VirtualHost XXX.XXX.XXX.102>\n   ServerAdmin utilisateur1@domain-2.com\n \n \n \n DocumentRoot / home /utilisateur2/ public_html

"},{"id":"text-184","type":"text","heading":"","plain_text":"Le défaut bloc sera utilisé par défaut\npour toutes les adresses IP non spécifiées explicitement.\nCette adresse IP par défaut (*) peut ne pas fonctionner pour https URL.\nCGI: (interface de passerelle commune)\nCGI est un programme exécutable qui génère dynamiquement une page Web en écrivant\nà stdout. CGI est autorisé par l'une des deux directives de fichier de configuration suivantes:\nLes fichiers de programme exécutables doivent avoir les privilèges d’exécution, exécutables par le\npropriétaire du processus (Red Hat 7 + / Fedora Core: apache.\nUtilisation plus ancienne personne) sous lequel le démon httpd est exécuté.\nConfiguration de CGI pour une exécution avec des privilèges utilisateur:\nLa fonctionnalité suEXEC offre aux utilisateurs Apache la possibilité d’exécuter CGI et SSI.\nprogrammes sous des identifiants d'utilisateur différents de ceux de l'appelant\nserveur Web. Normalement, lorsqu'un programme CGI ou SSI s'exécute, il s'exécute en tant que\nle même utilisateur qui exécute le serveur Web.","html":"

Le défaut bloc sera utilisé par défaut\npour toutes les adresses IP non spécifiées explicitement.\nCette adresse IP par défaut (*) peut ne pas fonctionner pour https URL.\nCGI: (interface de passerelle commune)\nCGI est un programme exécutable qui génère dynamiquement une page Web en écrivant\nà stdout. CGI est autorisé par l'une des deux directives de fichier de configuration suivantes:\nLes fichiers de programme exécutables doivent avoir les privilèges d’exécution, exécutables par le\npropriétaire du processus (Red Hat 7 + / Fedora Core: apache.\nUtilisation plus ancienne personne) sous lequel le démon httpd est exécuté.\nConfiguration de CGI pour une exécution avec des privilèges utilisateur:\nLa fonctionnalité suEXEC offre aux utilisateurs Apache la possibilité d’exécuter CGI et SSI.\nprogrammes sous des identifiants d'utilisateur différents de ceux de l'appelant\nserveur Web. Normalement, lorsqu'un programme CGI ou SSI s'exécute, il s'exécute en tant que\nle même utilisateur qui exécute le serveur Web.

"},{"id":"text-185","type":"text","heading":"","plain_text":"NameVirtualHost XXX.XXX.XXX.XXX","html":"

NameVirtualHost XXX.XXX.XXX.XXX

"},{"id":"text-186","type":"text","heading":"","plain_text":"<VirtualHost XXX.XXX.XXX.XXX>\n   Nom du serveur noeud1.votre-domaine.com - Permet les demandes par nom de domaine sans le préfixe "www".\n ServerAlias votre-domaine.com www.votre-domaine.com - CNAME (alias www) spécifié dans le fichier de configuration Bind (/ var / named / ...)\n ServerAdmin utilisateur1@votre-domaine.com\n \n \n \n DocumentRoot / home /utilisateur1/ public_html /votre-domaine.com\n \n \n \n Logs ErrorLog /votre-domaine.com-error_log\n   Journaux TransferLog /votre-domaine.com-access_log","html":"

<VirtualHost XXX.XXX.XXX.XXX>\n   Nom du serveur noeud1.votre-domaine.com - Permet les demandes par nom de domaine sans le préfixe "www".\n ServerAlias votre-domaine.com www.votre-domaine.com - CNAME (alias www) spécifié dans le fichier de configuration Bind (/ var / named / ...)\n ServerAdmin utilisateur1@votre-domaine.com\n \n \n \n DocumentRoot / home /utilisateur1/ public_html /votre-domaine.com\n \n \n \n Logs ErrorLog /votre-domaine.com-error_log\n   Journaux TransferLog /votre-domaine.com-access_log

"},{"id":"text-187","type":"text","heading":"","plain_text":"   SuexecUserGroup utilisateur1 utilisateur1\n \n \n \n <Répertoire / home /utilisateur1/ public_html /votre-domaine.com/>\n      Options + ExecCGI + Index\n      AddHandler cgi-script .cgi","html":"

   SuexecUserGroup utilisateur1 utilisateur1\n \n \n \n <Répertoire / home /utilisateur1/ public_html /votre-domaine.com/>\n      Options + ExecCGI + Index\n      AddHandler cgi-script .cgi

"},{"id":"text-188","type":"text","heading":"","plain_text":"Pages d'erreur:\nVous pouvez spécifier vos propres pages Web au lieu des pages d'erreur Apache par défaut:","html":"

Pages d'erreur:\nVous pouvez spécifier vos propres pages Web au lieu des pages d'erreur Apache par défaut:

"},{"id":"text-189","type":"text","heading":"","plain_text":"ErrorDocument 404 /Error404-missing.html\nCréer le fichier Error404-missing.html dans votre répertoire "DocumentRoot".","html":"

ErrorDocument 404 /Error404-missing.html\nCréer le fichier Error404-missing.html dans votre répertoire "DocumentRoot".

"},{"id":"text-190","type":"text","heading":"","plain_text":"Traitez toutes les erreurs avec une page de transfert:","html":"

Traitez toutes les erreurs avec une page de transfert:

"},{"id":"text-191","type":"text","heading":"","plain_text":"ErrorDocument 400 /error.shtml\nErrorDocument 401 /error.shtml\nErrorDocument 403 /error.shtml\nErrorDocument 404 /error.shtml\nErrorDocument 500 /error.shtml","html":"

ErrorDocument 400 /error.shtml\nErrorDocument 401 /error.shtml\nErrorDocument 403 /error.shtml\nErrorDocument 404 /error.shtml\nErrorDocument 500 /error.shtml

"},{"id":"text-192","type":"text","heading":"","plain_text":"Exemple de fichier error.shtml (dans votre répertoire "DocumentRoot").","html":"

Exemple de fichier error.shtml (dans votre répertoire "DocumentRoot").

"},{"id":"text-193","type":"text","heading":"","plain_text":"Page non trouvée!","html":"

Page non trouvée!

"},{"id":"text-194","type":"text","heading":"","plain_text":"PHP:\nSi les RPM appropriés php, perl et httpd sont installés,\nla configuration et les modules Red Hat Apache par défaut prend en charge PHP\ncontenu.\nPaquets RPM (RHEL):","html":"

PHP:\nSi les RPM appropriés php, perl et httpd sont installés,\nla configuration et les modules Red Hat Apache par défaut prend en charge PHP\ncontenu.\nPaquets RPM (RHEL):

"},{"id":"text-195","type":"text","heading":"","plain_text":"php: langage de script HTML","html":"

php: langage de script HTML

"},{"id":"text-196","type":"text","heading":"","plain_text":"php-pear: PEAR est un framework et un système de distribution de composants PHP réutilisables.","html":"

php-pear: PEAR est un framework et un système de distribution de composants PHP réutilisables.

"},{"id":"text-197","type":"text","heading":"","plain_text":"php-mysql: support de la base de données MySQL.","html":"

php-mysql: support de la base de données MySQL.

"},{"id":"text-198","type":"text","heading":"","plain_text":"php-ldap: support du protocole LDAP (Lightweight Directory Access Protocol)","html":"

php-ldap: support du protocole LDAP (Lightweight Directory Access Protocol)

"},{"id":"text-199","type":"text","heading":"","plain_text":"Configuration Apache:","html":"

Configuration Apache:

"},{"id":"text-200","type":"text","heading":"","plain_text":"Ajoutez php default page index.php au fichier de configuration apache: /etc/httpd/conf/httpd.conf","html":"

Ajoutez php default page index.php au fichier de configuration apache: /etc/httpd/conf/httpd.conf

"},{"id":"text-201","type":"text","heading":"","plain_text":"...","html":"

...

"},{"id":"text-202","type":"text","heading":"","plain_text":"DirectoryIndex index.html index.htm index.php","html":"

DirectoryIndex index.html index.htm index.php

"},{"id":"text-203","type":"text","heading":"","plain_text":"...","html":"

...

"},{"id":"text-204","type":"text","heading":"","plain_text":"Fichier de configuration PHP:","html":"

Fichier de configuration PHP:

"},{"id":"text-205","type":"text","heading":"","plain_text":"AWS – PHP 5.6: /etc/php-5.6.d/php.ini\nRHEL4 – PHP 4.3: /etc/php.ini\nUbuntu 18.04: /etc/php/7.2/apache2/php.ini\nUbuntu 6.06 / 6.11: /etc/php5/apache2/php.ini","html":"

AWS – PHP 5.6: /etc/php-5.6.d/php.ini\nRHEL4 – PHP 4.3: /etc/php.ini\nUbuntu 18.04: /etc/php/7.2/apache2/php.ini\nUbuntu 6.06 / 6.11: /etc/php5/apache2/php.ini

"},{"id":"text-206","type":"text","heading":"","plain_text":"[PHP]","html":"

[PHP]

"},{"id":"text-207","type":"text","heading":"","plain_text":"moteur = allumé\n...\n...\ndisplay_errors = Off\ninclude_path = ".: / php / includes"\n...\n...\nmemory_limit = 32M; La valeur par défaut est généralement de 8 Mo, ce qui est trop faible.\n...\n...","html":"

moteur = allumé\n...\n...\ndisplay_errors = Off\ninclude_path = ".: / php / includes"\n...\n...\nmemory_limit = 32M; La valeur par défaut est généralement de 8 Mo, ce qui est trop faible.\n...\n...

"},{"id":"text-208","type":"text","heading":"","plain_text":"[MySQL]\n...\n...\nmysql.default_host = super-serveur ; Nom d'hôte de l'ordinateur\nmysql.default_user = Dbuser","html":"

[MySQL]\n...\n...\nmysql.default_host = super-serveur ; Nom d'hôte de l'ordinateur\nmysql.default_user = Dbuser

"},{"id":"text-209","type":"text","heading":"","plain_text":"...","html":"

...

"},{"id":"text-210","type":"text","heading":"","plain_text":"Petite partie du fichier montré.","html":"

Petite partie du fichier montré.

"},{"id":"text-211","type":"text","heading":"","plain_text":"Notez que les modifications ne prendront effet qu'après le redémarrage du démon de serveur Web Apache.","html":"

Notez que les modifications ne prendront effet qu'après le redémarrage du démon de serveur Web Apache.

"},{"id":"text-212","type":"text","heading":"","plain_text":"Testez vos capacités PHP avec ce fichier de test: /maison/utilisateur1/public_html/test.php","html":"

Testez vos capacités PHP avec ce fichier de test: /maison/utilisateur1/public_html/test.php

"},{"id":"text-213","type":"text","heading":"","plain_text":"<? phpphpinfo ();?>\nOU (ancien format)","html":"

<? phpphpinfo ();?>\nOU (ancien format)

"},{"id":"text-214","type":"text","heading":"","plain_text":"Tester: http: // localhost / ~utilisateur1/test.php\nPour plus d'informations, consultez la liste des sites Web d'informations PHP de YoLinux.","html":"

Tester: http: // localhost / ~utilisateur1/test.php\nPour plus d'informations, consultez la liste des sites Web d'informations PHP de YoLinux.

"},{"id":"text-215","type":"text","heading":"","plain_text":"Exécuter plusieurs instances de httpd:\nLe démon du serveur Web Apache (httpd) peut être démarré avec la commande\noption de ligne "-f" pour spécifier un fichier de configuration unique pour chaque instance.\nConfigurez une adresse IP unique pour chaque instance d'Apache.\nReportez-vous au didacticiel de mise en réseau YoLinux pour spécifier plusieurs adresses IP pour une même carte réseau.\nUtilisez la directive du fichier de configuration Apache Écoute XXX.XXX.XXX.XXX, où l'adresse IP est unique pour chaque instance d'Apache.","html":"

Exécuter plusieurs instances de httpd:\nLe démon du serveur Web Apache (httpd) peut être démarré avec la commande\noption de ligne "-f" pour spécifier un fichier de configuration unique pour chaque instance.\nConfigurez une adresse IP unique pour chaque instance d'Apache.\nReportez-vous au didacticiel de mise en réseau YoLinux pour spécifier plusieurs adresses IP pour une même carte réseau.\nUtilisez la directive du fichier de configuration Apache Écoute XXX.XXX.XXX.XXX, où l'adresse IP est unique pour chaque instance d'Apache.

"},{"id":"text-216","type":"text","heading":"","plain_text":"Apache Man Pages:","html":"

Apache Man Pages:

"},{"id":"text-217","type":"text","heading":"","plain_text":"httpd – Apache Hypertext Transfer Protocol Server","html":"

httpd – Apache Hypertext Transfer Protocol Server

"},{"id":"text-218","type":"text","heading":"","plain_text":"apachectl – Interface de contrôle du serveur HTTP Apache","html":"

apachectl – Interface de contrôle du serveur HTTP Apache

"},{"id":"text-219","type":"text","heading":"","plain_text":"ab – Outil d'analyse comparative de serveur HTTP Apache","html":"

ab – Outil d'analyse comparative de serveur HTTP Apache

"},{"id":"text-220","type":"text","heading":"","plain_text":"htdigest – gère les fichiers utilisateur pour l'authentification Digest","html":"

htdigest – gère les fichiers utilisateur pour l'authentification Digest

"},{"id":"text-221","type":"text","heading":"","plain_text":"htpasswd – Gère les fichiers utilisateur pour l'authentification de base","html":"

htpasswd – Gère les fichiers utilisateur pour l'authentification de base

"},{"id":"text-222","type":"text","heading":"","plain_text":"logresolve – Résoudre les adresses IP en noms d'hôte dans les fichiers journaux Apache","html":"

logresolve – Résoudre les adresses IP en noms d'hôte dans les fichiers journaux Apache

"},{"id":"text-223","type":"text","heading":"","plain_text":"rotatelogs – Programme de journalisation en pipeline pour faire pivoter les journaux Apache","html":"

rotatelogs – Programme de journalisation en pipeline pour faire pivoter les journaux Apache

"},{"id":"text-224","type":"text","heading":"","plain_text":"Consultez également le manuel de configuration Apache en ligne local: http: // localhost / manual /.","html":"

Consultez également le manuel de configuration Apache en ligne local: http: // localhost / manual /.

"},{"id":"text-225","type":"text","heading":"","plain_text":"Configuration de l'interface graphique Apache Red Hat / Fedora Core:\nOutil de configuration de l'interface graphique:","html":"

Configuration de l'interface graphique Apache Red Hat / Fedora Core:\nOutil de configuration de l'interface graphique:

"},{"id":"text-226","type":"text","heading":"","plain_text":"Red Hat EL 4/5, Fedora 2-10: / usr / bin / system-config-httpd","html":"

Red Hat EL 4/5, Fedora 2-10: / usr / bin / system-config-httpd

"},{"id":"text-227","type":"text","heading":"","plain_text":"Red Hat 8/9, Fedora Core 1: / usr / bin / redhat-config-httpd","html":"

Red Hat 8/9, Fedora Core 1: / usr / bin / redhat-config-httpd

"},{"id":"text-228","type":"text","heading":"","plain_text":"Ajout de la connexion au site Web et de la protection par mot de passe: Consultez le didacticiel YoLinux sur la protection par mot de passe du site Web.","html":"

Ajout de la connexion au site Web et de la protection par mot de passe: Consultez le didacticiel YoLinux sur la protection par mot de passe du site Web.

"},{"id":"text-229","type":"text","heading":"","plain_text":"Analyse du fichier journal:","html":"

Analyse du fichier journal:

"},{"id":"text-230","type":"text","heading":"","plain_text":"L'analyse des fichiers de journal Web Apache ne fournira pas de statistiques significatives\nà moins qu’ils soient représentés graphiquement ou présentés de manière facile à lire. Le suivant\npaquets à un bon travail de présentation des statistiques du site.","html":"

L'analyse des fichiers de journal Web Apache ne fournira pas de statistiques significatives\nà moins qu’ils soient représentés graphiquement ou présentés de manière facile à lire. Le suivant\npaquets à un bon travail de présentation des statistiques du site.

"},{"id":"text-231","type":"text","heading":"","plain_text":"Services de statistiques de site Web:","html":"

Services de statistiques de site Web:

"},{"id":"text-232","type":"text","heading":"","plain_text":"Charger en charge votre serveur:","html":"

Charger en charge votre serveur:

"},{"id":"text-233","type":"text","heading":"","plain_text":"Liens Apache:","html":"

Liens Apache:

"},{"id":"text-234","type":"text","heading":"","plain_text":"CgiWrap – Le wrapper setuid qui permet aux utilisateurs d'installer et d'exécuter leurs propres scripts cgi exécutés sous leur propre ID utilisateur","html":"

CgiWrap – Le wrapper setuid qui permet aux utilisateurs d'installer et d'exécuter leurs propres scripts cgi exécutés sous leur propre ID utilisateur

"},{"id":"text-235","type":"text","heading":"","plain_text":"WWWThreads.org – Produit commercial – Logiciel avancé de téléconférence Web","html":"

WWWThreads.org – Produit commercial – Logiciel avancé de téléconférence Web

"},{"id":"text-236","type":"text","heading":"","plain_text":"Configuration de https (mod_ssl):","html":"

Configuration de https (mod_ssl):

"},{"id":"text-237","type":"text","heading":"","plain_text":"Analyse du fichier journal avec Analog:","html":"

Analyse du fichier journal avec Analog:

"},{"id":"text-238","type":"text","heading":"","plain_text":"Installation:","html":"

Installation:

"},{"id":"text-239","type":"text","heading":"","plain_text":"Red Hat / Fedora: miam installer analogique\nUbuntu / Debian: apt-get install analog","html":"

Red Hat / Fedora: miam installer analogique\nUbuntu / Debian: apt-get install analog

"},{"id":"text-240","type":"text","heading":"","plain_text":"Les packages d'installation sont également disponibles sur la page de téléchargements analogiques.\nFichier de configuration: /etc/analog.cfg","html":"

Les packages d'installation sont également disponibles sur la page de téléchargements analogiques.\nFichier de configuration: /etc/analog.cfg

"},{"id":"text-241","type":"text","heading":"","plain_text":"LOGFILE / var / log / httpd /votre-domaine.com-access_log * http: // www.votre-domaine.com\nUNCOMPRESS * .gz, *. Z "gzip -cd"\nSUBTYPE * .gz, *. Z\n#\nOUTFILE / home /utilisateur1/public_html/analog/Report.html\n#\nNOM D'HOTE "VotreDomaine.com"\nHOSTURL http: // www.votre-domaine.com","html":"

LOGFILE / var / log / httpd /votre-domaine.com-access_log * http: // www.votre-domaine.com\nUNCOMPRESS * .gz, *. Z "gzip -cd"\nSUBTYPE * .gz, *. Z\n#\nOUTFILE / home /utilisateur1/public_html/analog/Report.html\n#\nNOM D'HOTE "VotreDomaine.com"\nHOSTURL http: // www.votre-domaine.com

"},{"id":"text-242","type":"text","heading":"","plain_text":"....\n...\n..","html":"

....\n...\n..

"},{"id":"text-243","type":"text","heading":"","plain_text":"Pages REQINCLUDE # Demander les statistiques de la page uniquement","html":"

Pages REQINCLUDE # Demander les statistiques de la page uniquement

"},{"id":"text-244","type":"text","heading":"","plain_text":"TOUT SUR\nLANGUE US-ANGLAIS","html":"

TOUT SUR\nLANGUE US-ANGLAIS

"},{"id":"text-245","type":"text","heading":"","plain_text":"Vous pouvez afficher les paramètres utilisés avec votre fichier de configuration (également utiles pour le débogage): réglages analogiques\nRendre les images analogiques disponibles pour le rapport des utilisateurs: ln -s / usr / share / analogique / images / * / home /utilisateur1/ public_html / analogique","html":"

Vous pouvez afficher les paramètres utilisés avec votre fichier de configuration (également utiles pour le débogage): réglages analogiques\nRendre les images analogiques disponibles pour le rapport des utilisateurs: ln -s / usr / share / analogique / images / * / home /utilisateur1/ public_html / analogique

"},{"id":"text-246","type":"text","heading":"","plain_text":"Emplacement du fichier journal:","html":"

Emplacement du fichier journal:

"},{"id":"text-247","type":"text","heading":"","plain_text":"Red Hat / Fedora: / var / log / httpd /\nUbuntu / Debian: / var / log / apache2 /","html":"

Red Hat / Fedora: / var / log / httpd /\nUbuntu / Debian: / var / log / apache2 /

"},{"id":"text-248","type":"text","heading":"","plain_text":"La directive "TOUT SUR"active tous les éléments suivants:","html":"

La directive "TOUT SUR"active tous les éléments suivants:

"},{"id":"text-249","type":"text","heading":"","plain_text":"Directive analogique\nLa description","html":"

Directive analogique\nLa description

"},{"id":"text-250","type":"text","heading":"","plain_text":"Tous les mois \n une ligne par mois","html":"

Tous les mois \n une ligne par mois

"},{"id":"text-251","type":"text","heading":"","plain_text":"HEBDOMADAIRE SUR \n une ligne par semaine","html":"

HEBDOMADAIRE SUR \n une ligne par semaine

"},{"id":"text-252","type":"text","heading":"","plain_text":"DAILYREP ON \n une ligne par jour","html":"

DAILYREP ON \n une ligne par jour

"},{"id":"text-253","type":"text","heading":"","plain_text":"DAILYSUM ON \n une ligne pour chaque jour de la semaine","html":"

DAILYSUM ON \n une ligne pour chaque jour de la semaine

"},{"id":"text-254","type":"text","heading":"","plain_text":"HOURLYREP ON \n une ligne pour chaque heure de la journée","html":"

HOURLYREP ON \n une ligne pour chaque heure de la journée

"},{"id":"text-255","type":"text","heading":"","plain_text":"GENERAL ON \n le résumé général en haut","html":"

GENERAL ON \n le résumé général en haut

"},{"id":"text-256","type":"text","heading":"","plain_text":"DEMANDE SUR \n quels fichiers ont été demandés","html":"

DEMANDE SUR \n quels fichiers ont été demandés

"},{"id":"text-257","type":"text","heading":"","plain_text":"ÉCHEC SUR \n quels fichiers n'ont pas été trouvés","html":"

ÉCHEC SUR \n quels fichiers n'ont pas été trouvés

"},{"id":"text-258","type":"text","heading":"","plain_text":"ANNUAIRE SUR \n Rapport d'annuaire","html":"

ANNUAIRE SUR \n Rapport d'annuaire

"},{"id":"text-259","type":"text","heading":"","plain_text":"HÔTE SUR \n quels ordinateurs ont demandé des fichiers","html":"

HÔTE SUR \n quels ordinateurs ont demandé des fichiers

"},{"id":"text-260","type":"text","heading":"","plain_text":"ORGANISATION SUR \n de quelles organisations ils venaient","html":"

ORGANISATION SUR \n de quelles organisations ils venaient

"},{"id":"text-261","type":"text","heading":"","plain_text":"DOMAINE SUR \n dans quels pays ils étaient","html":"

DOMAINE SUR \n dans quels pays ils étaient

"},{"id":"text-262","type":"text","heading":"","plain_text":"REFERER SUR \n où les gens ont suivi les liens de","html":"

REFERER SUR \n où les gens ont suivi les liens de

"},{"id":"text-263","type":"text","heading":"","plain_text":"FAILREF ON \n où les gens ont suivi des liens brisés de","html":"

FAILREF ON \n où les gens ont suivi des liens brisés de

"},{"id":"text-264","type":"text","heading":"","plain_text":"RECHERCHE SUR \n les phrases et les mots qu'ils ont utilisés …","html":"

RECHERCHE SUR \n les phrases et les mots qu'ils ont utilisés …

"},{"id":"text-265","type":"text","heading":"","plain_text":"MOT DE RECHERCHE SUR \n … pour vous trouver parmi les moteurs de recherche","html":"

MOT DE RECHERCHE SUR \n … pour vous trouver parmi les moteurs de recherche

"},{"id":"text-266","type":"text","heading":"","plain_text":"NAVIGATEUR SUR \n quels types de navigateurs les gens utilisaient","html":"

NAVIGATEUR SUR \n quels types de navigateurs les gens utilisaient

"},{"id":"text-267","type":"text","heading":"","plain_text":"OSREP ON \n et quels systèmes d'exploitation","html":"

OSREP ON \n et quels systèmes d'exploitation

"},{"id":"text-268","type":"text","heading":"","plain_text":"FILETYPE ON \n types de fichiers demandés","html":"

FILETYPE ON \n types de fichiers demandés

"},{"id":"text-269","type":"text","heading":"","plain_text":"TAILLE SUR \n taille des fichiers demandés","html":"

TAILLE SUR \n taille des fichiers demandés

"},{"id":"text-270","type":"text","heading":"","plain_text":"ÉTAT SUR \n nombre de chaque type de succès et d'échec","html":"

ÉTAT SUR \n nombre de chaque type de succès et d'échec

"},{"id":"text-271","type":"text","heading":"","plain_text":"Cron job pour gérer plusieurs domaines: /etc/cron.daily/analog","html":"

Cron job pour gérer plusieurs domaines: /etc/cron.daily/analog

"},{"id":"text-272","type":"text","heading":"","plain_text":"#! / bin / sh\ncp /opt/etc/analog-domain1.com.cfg /etc/analog.cfg\n/ usr / bin / analogique\ncp /opt/etc/analog-domain2.com.cfg /etc/analog.cfg\n/ usr / bin / analogique","html":"

#! / bin / sh\ncp /opt/etc/analog-domain1.com.cfg /etc/analog.cfg\n/ usr / bin / analogique\ncp /opt/etc/analog-domain2.com.cfg /etc/analog.cfg\n/ usr / bin / analogique

"},{"id":"text-273","type":"text","heading":"","plain_text":"...","html":"

...

"},{"id":"text-274","type":"text","heading":"","plain_text":"Liens:","html":"

Liens:

"},{"id":"text-275","type":"text","heading":"","plain_text":"Mesure des performances du serveur Web:","html":"

Mesure des performances du serveur Web:

"},{"id":"text-276","type":"text","heading":"","plain_text":"Voir le didacticiel de référence du serveur Web YoLinux.com.","html":"

Voir le didacticiel de référence du serveur Web YoLinux.com.

"},{"id":"text-277","type":"text","heading":"","plain_text":"Configuration du compte utilisateur FTPd et FTP:","html":"

Configuration du compte utilisateur FTPd et FTP:

"},{"id":"text-278","type":"text","heading":"","plain_text":"De nombreux programmes FTP existent. Cet exemple couvre le populaire\n      vsftpd (Red Hat default 9.0, Fedora Core, Suse) et\n      wu-ftpd (Washington\nUniversity) qui est livré en standard avec RedHat (le dernier livré avec\nRedHat 8.0 mais peut être installé sur n’importe quel système Linux).\n(RPM: wu-ftpd)\nIl existe d'autres programmes FTP, y compris proFtpd\n(prend en charge l’authentification LDAP, les directives de type Apache, les fonctionnalités complètes\nlogiciel serveur ftp),\n      bftpd, pure-ftpd (BSD libre et en option sur Suse), etc …","html":"

De nombreux programmes FTP existent. Cet exemple couvre le populaire\n      vsftpd (Red Hat default 9.0, Fedora Core, Suse) et\n      wu-ftpd (Washington\nUniversity) qui est livré en standard avec RedHat (le dernier livré avec\nRedHat 8.0 mais peut être installé sur n’importe quel système Linux).\n(RPM: wu-ftpd)\nIl existe d'autres programmes FTP, y compris proFtpd\n(prend en charge l’authentification LDAP, les directives de type Apache, les fonctionnalités complètes\nlogiciel serveur ftp),\n      bftpd, pure-ftpd (BSD libre et en option sur Suse), etc …

"},{"id":"text-279","type":"text","heading":"","plain_text":"Pour les environnements hostiles, configurez un environnement chrooté pour sftp connexion cryptée et la rssh shell restreint pour OpenSSH.\nVoir le tutoriel sur la sécurité Internet de YoLinux.com pour Linux sftp et rssh configuration","html":"

Pour les environnements hostiles, configurez un environnement chrooté pour sftp connexion cryptée et la rssh shell restreint pour OpenSSH.\nVoir le tutoriel sur la sécurité Internet de YoLinux.com pour Linux sftp et rssh configuration

"},{"id":"text-280","type":"text","heading":"","plain_text":"Voir aussi la configuration sftp chrootée préférée pour OpenSSH 4.9+","html":"

Voir aussi la configuration sftp chrootée préférée pour OpenSSH 4.9+

"},{"id":"text-281","type":"text","heading":"","plain_text":"FTPd et SELinux: pour autoriser l'accès au démon FTPd et l'accès FTP aux répertoires de base des utilisateurs:","html":"

FTPd et SELinux: pour autoriser l'accès au démon FTPd et l'accès FTP aux répertoires de base des utilisateurs:

"},{"id":"text-282","type":"text","heading":"","plain_text":"Suivre avec la commande service vsftpd redémarrer\nTutoriels de configuration FTPd:","html":"

Suivre avec la commande service vsftpd redémarrer\nTutoriels de configuration FTPd:

"},{"id":"text-283","type":"text","heading":"","plain_text":"Configuration du compte utilisateur vsFTPd et FTP:","html":"

Configuration du compte utilisateur vsFTPd et FTP:

"},{"id":"text-284","type":"text","heading":"","plain_text":"Le serveur ftp vsFTPd a été mis à disposition pour la première fois dans Red Hat 9.0. Il a également été adopté par Suse et OpenBSD.\nC'est actuellement le démon FTP recommandé pour une utilisation sur des serveurs FTP.","html":"

Le serveur ftp vsFTPd a été mis à disposition pour la première fois dans Red Hat 9.0. Il a également été adopté par Suse et OpenBSD.\nC'est actuellement le démon FTP recommandé pour une utilisation sur des serveurs FTP.

"},{"id":"text-285","type":"text","heading":"","plain_text":"Activer vsftpd:","html":"

Activer vsftpd:

"},{"id":"text-286","type":"text","heading":"","plain_text":"Red Hat / Fedora Core / CentOS:\nVsFTPd est un service autonome et par l’installation par défaut de Fedora Core,\nnon contrôlé par xinetd comme l’installation par défaut de wu-ftpd.\n Commencez donc le service: service vsftpd start (ou: /etc/init.d/vsftpd start)\n Configurez vsftpd pour qu'il démarre au démarrage du système: chkconfig --add vsftpd","html":"

Red Hat / Fedora Core / CentOS:\nVsFTPd est un service autonome et par l’installation par défaut de Fedora Core,\nnon contrôlé par xinetd comme l’installation par défaut de wu-ftpd.\n Commencez donc le service: service vsftpd start (ou: /etc/init.d/vsftpd start)\n Configurez vsftpd pour qu'il démarre au démarrage du système: chkconfig --add vsftpd

"},{"id":"text-287","type":"text","heading":"","plain_text":"SuSE: Par défaut, vsftpd est un service contrôlé par xinetd. Autoriser\nServices de serveur FTP éditer le fichier /etc/xinetd.d/vsftpd et changer:\n désactiver = oui\n à:\n désactiver = non\n Redémarrez le démon xinetd: /etc/init.d/xinetd restart\n Remarque: vsftpd peut également être exécuté en tant que service autonome pour obtenir un résultat plus rapide.\nTemps de réponse.","html":"

SuSE: Par défaut, vsftpd est un service contrôlé par xinetd. Autoriser\nServices de serveur FTP éditer le fichier /etc/xinetd.d/vsftpd et changer:\n désactiver = oui\n à:\n désactiver = non\n Redémarrez le démon xinetd: /etc/init.d/xinetd restart\n Remarque: vsftpd peut également être exécuté en tant que service autonome pour obtenir un résultat plus rapide.\nTemps de réponse.

"},{"id":"text-288","type":"text","heading":"","plain_text":"Ubuntu (dapper / hardy / natty) / Debian:","html":"

Ubuntu (dapper / hardy / natty) / Debian:

"},{"id":"text-289","type":"text","heading":"","plain_text":"Installer: apt-get install vsftpd\n \nVsFTPd est un service autonome.","html":"

Installer: apt-get install vsftpd\n \nVsFTPd est un service autonome.

"},{"id":"text-290","type":"text","heading":"","plain_text":"Début: /etc/init.d/vsftpd start\n \nArrêtez: /etc/init.d/vsftpd stop\n \nRedémarrer: /etc/init.d/vsftpd restart\n (Utilisez cette commande après avoir modifié le fichier de configuration)","html":"

Début: /etc/init.d/vsftpd start\n \nArrêtez: /etc/init.d/vsftpd stop\n \nRedémarrer: /etc/init.d/vsftpd restart\n (Utilisez cette commande après avoir modifié le fichier de configuration)

"},{"id":"text-291","type":"text","heading":"","plain_text":"Pour plus d’informations sur le démarrage / l’arrêt / la configuration des services Linux, voir la\n      Tutoriel YoLinux sur le processus d'initialisation Linux et l'activation du service.","html":"

Pour plus d’informations sur le démarrage / l’arrêt / la configuration des services Linux, voir la\n      Tutoriel YoLinux sur le processus d'initialisation Linux et l'activation du service.

"},{"id":"text-292","type":"text","heading":"","plain_text":"Fichiers de configuration:","html":"

Fichiers de configuration:

"},{"id":"text-293","type":"text","heading":"","plain_text":"Fichier de configuration vsFTPd:","html":"

Fichier de configuration vsFTPd:

"},{"id":"text-294","type":"text","heading":"","plain_text":"Fedora Core / Red Hat: /etc/vsftpd/vsftpd.conf\n \nS.u.S.e. / Ubuntu (dapper / hardy / natty) / Debian: /etc/vsftpd.conf","html":"

Fedora Core / Red Hat: /etc/vsftpd/vsftpd.conf\n \nS.u.S.e. / Ubuntu (dapper / hardy / natty) / Debian: /etc/vsftpd.conf

"},{"id":"text-295","type":"text","heading":"","plain_text":"Par défaut pour Fedora Core 3:","html":"

Par défaut pour Fedora Core 3:

"},{"id":"text-296","type":"text","heading":"","plain_text":"anonymous_enable = OUI - FTP anonyme autorisé par défaut si vous commentez ceci.\n                                  Répertoire par défaut utilisé: / var / ftp","html":"

anonymous_enable = OUI - FTP anonyme autorisé par défaut si vous commentez ceci.\n                                  Répertoire par défaut utilisé: / var / ftp

"},{"id":"text-297","type":"text","heading":"","plain_text":"local_enable = YES - Un-comment this to allow local users to log in with FTP.\n Must also set SELinux boolean: setsebool -P ftp_home_dir 1","html":"

local_enable = YES - Un-comment this to allow local users to log in with FTP.\n Must also set SELinux boolean: setsebool -P ftp_home_dir 1

"},{"id":"text-298","type":"text","heading":"","plain_text":"write_enable=YES - Un-comment this to enable any form of FTP write or upload command.","html":"

write_enable=YES - Un-comment this to enable any form of FTP write or upload command.

"},{"id":"text-299","type":"text","heading":"","plain_text":"local_umask=022 - Default is 077. Umask 022 is used by most other ftpd's.","html":"

local_umask=022 - Default is 077. Umask 022 is used by most other ftpd's.

"},{"id":"text-300","type":"text","heading":"","plain_text":"#anon_upload_enable=YES - Un-comment to allow the anonymous FTP user to upload files. \n                                  Requires the above global write enabled. Directory must also be writable by user.","html":"

#anon_upload_enable=YES - Un-comment to allow the anonymous FTP user to upload files. \n                                  Requires the above global write enabled. Directory must also be writable by user.

"},{"id":"text-301","type":"text","heading":"","plain_text":"#anon_mkdir_write_enable=YES - Un-comment this to allow the anonymous FTP user to be able to create new directories.","html":"

#anon_mkdir_write_enable=YES - Un-comment this to allow the anonymous FTP user to be able to create new directories.

"},{"id":"text-302","type":"text","heading":"","plain_text":"dirmessage_enable=YES - Activate directory messages. \n                                  Messages given to remote users when they enter certain directories","html":"

dirmessage_enable=YES - Activate directory messages. \n                                  Messages given to remote users when they enter certain directories

"},{"id":"text-303","type":"text","heading":"","plain_text":"xferlog_enable=YES - Activate logging of uploads/downloads.","html":"

xferlog_enable=YES - Activate logging of uploads/downloads.

"},{"id":"text-304","type":"text","heading":"","plain_text":"connect_from_port_20=YES - PORT transfer connections originate from port 20 (ftp-data)","html":"

connect_from_port_20=YES - PORT transfer connections originate from port 20 (ftp-data)

"},{"id":"text-305","type":"text","heading":"","plain_text":"#chown_uploads=YES - Uploaded anonymous files set to a specified owner. (not root)","html":"

#chown_uploads=YES - Uploaded anonymous files set to a specified owner. (not root)

"},{"id":"text-306","type":"text","heading":"","plain_text":"#chown_username=quiconque","html":"

#chown_username=quiconque

"},{"id":"text-307","type":"text","heading":"","plain_text":"#xferlog_file=/var/log/vsftpd.log - Specify logfile explicitly. Default is /var/log/vsftpd.log","html":"

#xferlog_file=/var/log/vsftpd.log - Specify logfile explicitly. Default is /var/log/vsftpd.log

"},{"id":"text-308","type":"text","heading":"","plain_text":"xferlog_std_format=YES - Output to log file in standard ftpd xferlog format","html":"

xferlog_std_format=YES - Output to log file in standard ftpd xferlog format

"},{"id":"text-309","type":"text","heading":"","plain_text":"#idle_session_timeout=600 - Set timing out for an idle session.","html":"

#idle_session_timeout=600 - Set timing out for an idle session.

"},{"id":"text-310","type":"text","heading":"","plain_text":"#data_connection_timeout=120 - Set timing out for an idle data connection. Port 20","html":"

#data_connection_timeout=120 - Set timing out for an idle data connection. Port 20

"},{"id":"text-311","type":"text","heading":"","plain_text":"#nopriv_user=ftpsecure - Run ftp server as an isolated and unprivileged user.","html":"

#nopriv_user=ftpsecure - Run ftp server as an isolated and unprivileged user.

"},{"id":"text-312","type":"text","heading":"","plain_text":"# Enable this and the server will recognize asynchronous ABOR requests. ne pas\n# recommended for security (the code is non-trivial). Not enabling it, may confuse older FTP clients.\n#async_abor_enable=YES","html":"

# Enable this and the server will recognize asynchronous ABOR requests. ne pas\n# recommended for security (the code is non-trivial). Not enabling it, may confuse older FTP clients.\n#async_abor_enable=YES

"},{"id":"text-313","type":"text","heading":"","plain_text":"#ascii_upload_enable=YES - Improve performance by disabling ASCII mode. \n                                  Disables command "ascii" and "SIZE /big/file".","html":"

#ascii_upload_enable=YES - Improve performance by disabling ASCII mode. \n                                  Disables command "ascii" and "SIZE /big/file".

"},{"id":"text-314","type":"text","heading":"","plain_text":"#ascii_download_enable=YES","html":"

#ascii_download_enable=YES

"},{"id":"text-315","type":"text","heading":"","plain_text":"#ftpd_banner=Welcome to YoLinux - Customize the login banner string.","html":"

#ftpd_banner=Welcome to YoLinux - Customize the login banner string.

"},{"id":"text-316","type":"text","heading":"","plain_text":"#deny_email_enable=YES - Disallow specified anonymous e-mail addresses. Used to combat certain DDoS attacks.","html":"

#deny_email_enable=YES - Disallow specified anonymous e-mail addresses. Used to combat certain DDoS attacks.

"},{"id":"text-317","type":"text","heading":"","plain_text":"#banned_email_file=/etc/vsftpd.banned_emails (Ubuntu default. Red Hat: /etc/vsftpd/banned_emails)","html":"

#banned_email_file=/etc/vsftpd.banned_emails (Ubuntu default. Red Hat: /etc/vsftpd/banned_emails)

"},{"id":"text-318","type":"text","heading":"","plain_text":"#chroot_list_enable=YES - List users chroot()'d to their home directory. If "NO", list users not chroot()'d.","html":"

#chroot_list_enable=YES - List users chroot()'d to their home directory. If "NO", list users not chroot()'d.

"},{"id":"text-319","type":"text","heading":"","plain_text":"#chroot_list_file=/etc/vsftpd.chroot_list (Ubuntu default. Red Hat: /etc/vsftpd/chroot_list)","html":"

#chroot_list_file=/etc/vsftpd.chroot_list (Ubuntu default. Red Hat: /etc/vsftpd/chroot_list)

"},{"id":"text-320","type":"text","heading":"","plain_text":"ls_recurse_enable=YES - Allow "ls -R" recursive directory list. Default is disabled.","html":"

ls_recurse_enable=YES - Allow "ls -R" recursive directory list. Default is disabled.

"},{"id":"text-321","type":"text","heading":"","plain_text":"pam_service_name=vsftpd","html":"

pam_service_name=vsftpd

"},{"id":"text-322","type":"text","heading":"","plain_text":"userlist_enable=YES - (Ubuntu Default) Deny users specified in file /etc/vsftpd.user_list\n If "userlist_enable=NO" then allow specified users.\n Red Hat: /etc/vsftpd/user_list\n#deny_email_enable=YES - Disallow specified anonymous e-mail addresses. Used to combat certain DDoS attacks.","html":"

userlist_enable=YES - (Ubuntu Default) Deny users specified in file /etc/vsftpd.user_list\n If "userlist_enable=NO" then allow specified users.\n Red Hat: /etc/vsftpd/user_list\n#deny_email_enable=YES - Disallow specified anonymous e-mail addresses. Used to combat certain DDoS attacks.

"},{"id":"text-323","type":"text","heading":"","plain_text":"listen=YES - Enable for standalone mode as opposed to an xinetd service.\n Must set SELinux boolean: setsebool -P ftpd_is_daemon 1","html":"

listen=YES - Enable for standalone mode as opposed to an xinetd service.\n Must set SELinux boolean: setsebool -P ftpd_is_daemon 1

"},{"id":"text-324","type":"text","heading":"","plain_text":"tcp_wrappers=YES\n \nRestart the FTP service if the config file is changed: service vsftpd restart (or: /etc/init.d/vsftpd restart)","html":"

tcp_wrappers=YES\n \nRestart the FTP service if the config file is changed: service vsftpd restart (or: /etc/init.d/vsftpd restart)

"},{"id":"text-325","type":"text","heading":"","plain_text":"[Potential Pitfall]: vsftp does NOT support comments on the same line as a directive. i.e.:","html":"

[Potential Pitfall]: vsftp does NOT support comments on the same line as a directive. i.e.:

"},{"id":"text-326","type":"text","heading":"","plain_text":"directive=XXX # comment\n \n vsftp.conf man page","html":"

directive=XXX # comment\n \n vsftp.conf man page

"},{"id":"text-327","type":"text","heading":"","plain_text":"Specify list of local users chrooted to their home directories:","html":"

Specify list of local users chrooted to their home directories:

"},{"id":"text-328","type":"text","heading":"","plain_text":"Red Hat: /etc/vsftpd/vsftpd/chroot_list\nUbuntu: /etc/vsftpd/vsftpd.chroot_list","html":"

Red Hat: /etc/vsftpd/vsftpd/chroot_list\nUbuntu: /etc/vsftpd/vsftpd.chroot_list

"},{"id":"text-329","type":"text","heading":"","plain_text":"(Requires: chroot_list_enable=NO)","html":"

(Requires: chroot_list_enable=NO)

"},{"id":"text-330","type":"text","heading":"","plain_text":"user1user2...user-n\n \nSi userlist_enable=YES, then specify users not to be chroot'd..","html":"

user1user2...user-n\n \nSi userlist_enable=YES, then specify users not to be chroot'd..

"},{"id":"text-331","type":"text","heading":"","plain_text":"Specify list of users:","html":"

Specify list of users:

"},{"id":"text-332","type":"text","heading":"","plain_text":"Red Hat: /etc/vsftpd/user_list\nUbuntu: /etc/vsftpd.user_list","html":"

Red Hat: /etc/vsftpd/user_list\nUbuntu: /etc/vsftpd.user_list

"},{"id":"text-333","type":"text","heading":"","plain_text":"(Deny list of users requires: userlist_enable=YES)\n Also see PAM configuration below.\nracinepoubelledémonadmlpsynchroniserfermerarrêt...\nSi userlist_enable=NO, then specify valid users.","html":"

(Deny list of users requires: userlist_enable=YES)\n Also see PAM configuration below.\nracinepoubelledémonadmlpsynchroniserfermerarrêt...\nSi userlist_enable=NO, then specify valid users.

"},{"id":"text-334","type":"text","heading":"","plain_text":"PAM configuration file Fedora Core 3: /etc/pam.d/vsftpd","html":"

PAM configuration file Fedora Core 3: /etc/pam.d/vsftpd

"},{"id":"text-335","type":"text","heading":"","plain_text":"#%PAM-1.0\nauth required pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed\nauth required pam_stack.so service=system-auth\nauth required pam_shells.so\naccount required pam_stack.so service=system-auth\nsession required pam_stack.so service=system-auth\n \nThis causes PAM to check /etc/vsftpd.ftpusers for users who are denied.\nThis duplicates /etc/vsftpd.user_list. Speciy user in both files as PAM is independent of vsftpd configuration.\n    \n    PAM authentication configuration file: ftpusers","html":"

#%PAM-1.0\nauth required pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed\nauth required pam_stack.so service=system-auth\nauth required pam_shells.so\naccount required pam_stack.so service=system-auth\nsession required pam_stack.so service=system-auth\n \nThis causes PAM to check /etc/vsftpd.ftpusers for users who are denied.\nThis duplicates /etc/vsftpd.user_list. Speciy user in both files as PAM is independent of vsftpd configuration.\n    \n    PAM authentication configuration file: ftpusers

"},{"id":"text-336","type":"text","heading":"","plain_text":"Red Hat: /etc/vsftpd/ftpusers\nUbuntu: /etc/vsftpd.ftpusers","html":"

Red Hat: /etc/vsftpd/ftpusers\nUbuntu: /etc/vsftpd.ftpusers

"},{"id":"text-337","type":"text","heading":"","plain_text":"racine\npoubelle\ndémon\nadm\nlp\nsynchroniser\nfermer\narrêt\n...\n...\n...\nuser6 - Users to deny\nuser8","html":"

racine\npoubelle\ndémon\nadm\nlp\nsynchroniser\nfermer\narrêt\n...\n...\n...\nuser6 - Users to deny\nuser8

"},{"id":"text-338","type":"text","heading":"","plain_text":"...\n...","html":"

...\n...

"},{"id":"text-339","type":"text","heading":"","plain_text":"Logrotate configuration file: /etc/logrotate.d/vsftpd.log","html":"

Logrotate configuration file: /etc/logrotate.d/vsftpd.log

"},{"id":"text-340","type":"text","heading":"","plain_text":"/var/log/xferlog \n    # ftpd doesn't handle SIGHUP properly\n    nocompress\n    missingok","html":"

/var/log/xferlog \n    # ftpd doesn't handle SIGHUP properly\n    nocompress\n    missingok

"},{"id":"text-341","type":"text","heading":"","plain_text":"Sample vsFTPd configurations:","html":"

Sample vsFTPd configurations:

"},{"id":"text-342","type":"text","heading":"","plain_text":"Anonymous download FTP server configuration: /etc/vsftpd/vsftpd.conf","html":"

Anonymous download FTP server configuration: /etc/vsftpd/vsftpd.conf

"},{"id":"text-343","type":"text","heading":"","plain_text":"# Access rights\nanonymous_enable=YES - Turn on anonymous FTP","html":"

# Access rights\nanonymous_enable=YES - Turn on anonymous FTP

"},{"id":"text-344","type":"text","heading":"","plain_text":"chown_uploads=YES - Uploaded files owned by an assigned user","html":"

chown_uploads=YES - Uploaded files owned by an assigned user

"},{"id":"text-345","type":"text","heading":"","plain_text":"chown_username=ftp - Uploaded files owned by this assigned user","html":"

chown_username=ftp - Uploaded files owned by this assigned user

"},{"id":"text-346","type":"text","heading":"","plain_text":"local_enable=NO\nwrite_enable=NO - No upload of files system changes allowed","html":"

local_enable=NO\nwrite_enable=NO - No upload of files system changes allowed

"},{"id":"text-347","type":"text","heading":"","plain_text":"anon_upload_enable=NO\nanon_mkdir_write_enable=NO\nanon_other_write_enable=NO\n# Security\nanon_world_readable_only=YES\nconnect_from_port_20=YES\nforce_dot_files=NO\nguest_enable=NO\nhide_ids=YES\npasv_min_port=50000\npasv_max_port=60000\n# Features\nxferlog_enable=YES\nls_recurse_enable=NO\nascii_download_enable=NO\nasync_abor_enable=YES\n# Performance\none_process_model=NO\nidle_session_timeout=120\ndata_connection_timeout=300\naccept_timeout=60\nconnect_timeout=60\nmax_per_ip=4\nanon_max_rate=50000","html":"

anon_upload_enable=NO\nanon_mkdir_write_enable=NO\nanon_other_write_enable=NO\n# Security\nanon_world_readable_only=YES\nconnect_from_port_20=YES\nforce_dot_files=NO\nguest_enable=NO\nhide_ids=YES\npasv_min_port=50000\npasv_max_port=60000\n# Features\nxferlog_enable=YES\nls_recurse_enable=NO\nascii_download_enable=NO\nasync_abor_enable=YES\n# Performance\none_process_model=NO\nidle_session_timeout=120\ndata_connection_timeout=300\naccept_timeout=60\nconnect_timeout=60\nmax_per_ip=4\nanon_max_rate=50000

"},{"id":"text-348","type":"text","heading":"","plain_text":"pam_service_name=vsftpd\nuserlist_enable=YES\n#enable for standalone mode\nlisten=YES\ntcp_wrappers=YES","html":"

pam_service_name=vsftpd\nuserlist_enable=YES\n#enable for standalone mode\nlisten=YES\ntcp_wrappers=YES

"},{"id":"text-349","type":"text","heading":"","plain_text":"Anonymous logins use the login name "anonymous" and then the user supplies their\nemail address as a password. Any password will be accepted.\nUsed to allow the public to download files from an ftp server.\nGenerally, no upload is permitted.","html":"

Anonymous logins use the login name "anonymous" and then the user supplies their\nemail address as a password. Any password will be accepted.\nUsed to allow the public to download files from an ftp server.\nGenerally, no upload is permitted.

"},{"id":"text-350","type":"text","heading":"","plain_text":"Web hosting configuration: /etc/vsftpd/vsftpd.conf","html":"

Web hosting configuration: /etc/vsftpd/vsftpd.conf

"},{"id":"text-351","type":"text","heading":"","plain_text":"# Access rights\nanonymous_enable=NO\nlocal_enable=YES - Allow users to ftp to their home directories","html":"

# Access rights\nanonymous_enable=NO\nlocal_enable=YES - Allow users to ftp to their home directories

"},{"id":"text-352","type":"text","heading":"","plain_text":"write_enable=YES - Allow users to STOR, DELE, RNFR, RNTO, MKD, RMD, APPE and SITE","html":"

write_enable=YES - Allow users to STOR, DELE, RNFR, RNTO, MKD, RMD, APPE and SITE

"},{"id":"text-353","type":"text","heading":"","plain_text":"local_umask=022\n# Security\nconnect_from_port_20=YES\nforce_dot_files=NO\nguest_enable=NO - Don't remap user name","html":"

local_umask=022\n# Security\nconnect_from_port_20=YES\nforce_dot_files=NO\nguest_enable=NO - Don't remap user name

"},{"id":"text-354","type":"text","heading":"","plain_text":"ftpd_banner=Welcome to Super Duper Hosting - Customize the login banner string.","html":"

ftpd_banner=Welcome to Super Duper Hosting - Customize the login banner string.

"},{"id":"text-355","type":"text","heading":"","plain_text":"chroot_local_user=YES - Limit user to browse their own directory only","html":"

chroot_local_user=YES - Limit user to browse their own directory only

"},{"id":"text-356","type":"text","heading":"","plain_text":"chroot_list_enable=YES - Enable list of system / power users","html":"

chroot_list_enable=YES - Enable list of system / power users

"},{"id":"text-357","type":"text","heading":"","plain_text":"chroot_list_file=/etc/vsftpd.chroot_list - Actual list of system / power users","html":"

chroot_list_file=/etc/vsftpd.chroot_list - Actual list of system / power users

"},{"id":"text-358","type":"text","heading":"","plain_text":"hide_ids=YES\npasv_min_port=50000\npasv_max_port=60000\n# Features\nxferlog_enable=YES\nls_recurse_enable=NO\nascii_download_enable=NO\nasync_abor_enable=YES\ndirmessage_enable=YES - Message greeting held in file .message or specify with message_file=...","html":"

hide_ids=YES\npasv_min_port=50000\npasv_max_port=60000\n# Features\nxferlog_enable=YES\nls_recurse_enable=NO\nascii_download_enable=NO\nasync_abor_enable=YES\ndirmessage_enable=YES - Message greeting held in file .message or specify with message_file=...

"},{"id":"text-359","type":"text","heading":"","plain_text":"# Performance\none_process_model=NO\nidle_session_timeout=120\ndata_connection_timeout=300\naccept_timeout=60\nconnect_timeout=60\nmax_per_ip=4\n#\npam_service_name=vsftpd\nuserlist_enable=YES\n#enable for standalone mode\nlisten=YES\ntcp_wrappers=YES","html":"

# Performance\none_process_model=NO\nidle_session_timeout=120\ndata_connection_timeout=300\naccept_timeout=60\nconnect_timeout=60\nmax_per_ip=4\n#\npam_service_name=vsftpd\nuserlist_enable=YES\n#enable for standalone mode\nlisten=YES\ntcp_wrappers=YES

"},{"id":"text-360","type":"text","heading":"","plain_text":"Specify list of local users chrooted to their home directories: /etc/vsftpd/vsftpd.chroot_list\n Ubuntu typically: /etc/vsftpd.chroot_list\n (Requires: chroot_list_enable=NO)","html":"

Specify list of local users chrooted to their home directories: /etc/vsftpd/vsftpd.chroot_list\n Ubuntu typically: /etc/vsftpd.chroot_list\n (Requires: chroot_list_enable=NO)

"},{"id":"text-361","type":"text","heading":"","plain_text":"user1user2...user-n","html":"

user1user2...user-n

"},{"id":"text-362","type":"text","heading":"","plain_text":"Si userlist_enable=YES, then specify users not to be chroot'd..","html":"

Si userlist_enable=YES, then specify users not to be chroot'd..

"},{"id":"text-363","type":"text","heading":"","plain_text":"[Potential Pitfall]:\nMisspelling a directive will cause vsftpd to fail with little warning.","html":"

[Potential Pitfall]:\nMisspelling a directive will cause vsftpd to fail with little warning.

"},{"id":"text-364","type":"text","heading":"","plain_text":"Fichier: .message","html":"

Fichier: .message

"},{"id":"text-365","type":"text","heading":"","plain_text":"A NOTE TO USERS UPLOADING FILES:\n   File names may consist of letters (a-z, A-Z), numbers (0-9),\n   an under score ("_"), dash ("-") or period (".") only.\n   The file name may not begin with a period or dash.","html":"

A NOTE TO USERS UPLOADING FILES:\n   File names may consist of letters (a-z, A-Z), numbers (0-9),\n   an under score ("_"), dash ("-") or period (".") only.\n   The file name may not begin with a period or dash.

"},{"id":"text-366","type":"text","heading":"","plain_text":"Test if vsftp is listening: netstat -a | grep ftp","html":"

Test if vsftp is listening: netstat -a | grep ftp

"},{"id":"text-367","type":"text","heading":"","plain_text":"[root]# netstat -a | grep ftptcp 0 0 *:ftp *:* LISTEN\nLinks:\nWU-FTPd and FTP user account configuration:","html":"

[root]# netstat -a | grep ftptcp 0 0 *:ftp *:* LISTEN\nLinks:\nWU-FTPd and FTP user account configuration:

"},{"id":"text-368","type":"text","heading":"","plain_text":"The wu-ftpd FTP server can be downloaded (binary or source) from\nhttp://wu-ftpd.therockgarden.ca/ (at one time: http://wu-ftpd.org).","html":"

The wu-ftpd FTP server can be downloaded (binary or source) from\nhttp://wu-ftpd.therockgarden.ca/ (at one time: http://wu-ftpd.org).

"},{"id":"text-369","type":"text","heading":"","plain_text":"There are three kinds of FTP logins that wu-ftpd provides:","html":"

There are three kinds of FTP logins that wu-ftpd provides:

"},{"id":"text-370","type":"text","heading":"","plain_text":"anonymous FTP – one logs in with the username 'anonymous'","html":"

anonymous FTP – one logs in with the username 'anonymous'

"},{"id":"text-371","type":"text","heading":"","plain_text":"real FTP – log in with a real username and password and\nhas access to the entire disk structure.","html":"

real FTP – log in with a real username and password and\nhas access to the entire disk structure.

"},{"id":"text-372","type":"text","heading":"","plain_text":"guest FTP – one logs in with a real user name and\npassword, but the user is chroot'ed to his home directory and cannot\nescape from it.\nThey are constrained to their home directory which also means that they don't\nhave access to /bin/ls and other commands on the server.\nThus a local minimalist environment must be set up.","html":"

guest FTP – one logs in with a real user name and\npassword, but the user is chroot'ed to his home directory and cannot\nescape from it.\nThey are constrained to their home directory which also means that they don't\nhave access to /bin/ls and other commands on the server.\nThus a local minimalist environment must be set up.

"},{"id":"text-373","type":"text","heading":"","plain_text":"This tutorial covers "guest" FTP configuration.","html":"

This tutorial covers "guest" FTP configuration.

"},{"id":"text-374","type":"text","heading":"","plain_text":"The file /etc/ftpaccess controls the configuration of ftp.","html":"

The file /etc/ftpaccess controls the configuration of ftp.

"},{"id":"text-375","type":"text","heading":"","plain_text":"# Don't allow system accounts to log in over ftp\n   deny-uid %-99 %65534-\n   deny-gid %-99 %65534-","html":"

# Don't allow system accounts to log in over ftp\n   deny-uid %-99 %65534-\n   deny-gid %-99 %65534-

"},{"id":"text-376","type":"text","heading":"","plain_text":"   class all real,guest *\n   email webmaster@your-domain.com\n \n \n \n loginfails 5","html":"

   class all real,guest *\n   email webmaster@your-domain.com\n \n \n \n loginfails 5

"},{"id":"text-377","type":"text","heading":"","plain_text":"   readme README* login\n   readme README* cwd=*\n   message /welcome.msg login\n   message .message cwd=*","html":"

   readme README* login\n   readme README* cwd=*\n   message /welcome.msg login\n   message .message cwd=*

"},{"id":"text-378","type":"text","heading":"","plain_text":"   compress yes all\n   tar yes all\n   chmod no guest,anonymous\n   delete no anonymous # delete files permission?\n   overwrite no anonymous # overwrite files permission?\n   rename no anonymous # rename files permission?\n   delete yes guest # delete files permission?\n   overwrite yes guest # overwrite files permission?\n   rename yes guest # rename files permission?\n   umask no guest # umask permission?","html":"

   compress yes all\n   tar yes all\n   chmod no guest,anonymous\n   delete no anonymous # delete files permission?\n   overwrite no anonymous # overwrite files permission?\n   rename no anonymous # rename files permission?\n   delete yes guest # delete files permission?\n   overwrite yes guest # overwrite files permission?\n   rename yes guest # rename files permission?\n   umask no guest # umask permission?

"},{"id":"text-379","type":"text","heading":"","plain_text":"   log transfers anonymous,real inbound,outbound","html":"

   log transfers anonymous,real inbound,outbound

"},{"id":"text-380","type":"text","heading":"","plain_text":"   shutdown /etc/shutmsg","html":"

   shutdown /etc/shutmsg

"},{"id":"text-381","type":"text","heading":"","plain_text":"   passwd-check rfc822 warn","html":"

   passwd-check rfc822 warn

"},{"id":"text-382","type":"text","heading":"","plain_text":"   # Must also create message file /etc/pathmsg of the guest directory.\n   # In this case it refers to /home/user1/public_html/etc/pathmsg.\n   path-filter guest /etc/pathmsg ^[-A-Za-z0-9_.]*$ ^. ^-\n   limit all 2\n   noretrieve passwd .htaccess core - Do not allow users to download files of these names\n \n \n \n limit-time * 20\n   byte-limit in 5000 - Limit file size\n \n \n \n guestuser * - System user default categorized as a "guest". A "real" user can roam the system. Guestuser is chrooted.\n \n \n \n realgroup regularuserx regularusery - Assign real user privileges to members of groups "regularuserx" and "regularusery". \n                                    Visibility of the whole file system and subject to regular UNIX file permissions\n \n \n \n realuser user4 - Assign real user privileges to user id "user4".","html":"

   # Must also create message file /etc/pathmsg of the guest directory.\n   # In this case it refers to /home/user1/public_html/etc/pathmsg.\n   path-filter guest /etc/pathmsg ^[-A-Za-z0-9_.]*$ ^. ^-\n   limit all 2\n   noretrieve passwd .htaccess core - Do not allow users to download files of these names\n \n \n \n limit-time * 20\n   byte-limit in 5000 - Limit file size\n \n \n \n guestuser * - System user default categorized as a "guest". A "real" user can roam the system. Guestuser is chrooted.\n \n \n \n realgroup regularuserx regularusery - Assign real user privileges to members of groups "regularuserx" and "regularusery". \n                                    Visibility of the whole file system and subject to regular UNIX file permissions\n \n \n \n realuser user4 - Assign real user privileges to user id "user4".

"},{"id":"text-383","type":"text","heading":"","plain_text":"restricted-uid user1 user2 user3 - Restricts FTP to the specified directories\n \n \n \n guest-root /home/user1/public_html user1\n guest-root /home/user2/public_html user2\n   guest-root /home/user3/public_html user3","html":"

restricted-uid user1 user2 user3 - Restricts FTP to the specified directories\n \n \n \n guest-root /home/user1/public_html user1\n guest-root /home/user2/public_html user2\n   guest-root /home/user3/public_html user3

"},{"id":"text-384","type":"text","heading":"","plain_text":"Remarque:","html":"

Remarque:

"},{"id":"text-385","type":"text","heading":"","plain_text":"user1, user2 et user3 refer to login accounts. Use the appropriate login name.","html":"

user1, user2 et user3 refer to login accounts. Use the appropriate login name.

"},{"id":"text-386","type":"text","heading":"","plain_text":"The above configuration disables anonymous FTP which allows anyone to\nperform an FTP login with the id anonyme and an email address as a\npassword. To enable anonymous FTP, change the classe directive to:","html":"

The above configuration disables anonymous FTP which allows anyone to\nperform an FTP login with the id anonyme and an email address as a\npassword. To enable anonymous FTP, change the classe directive to:

"},{"id":"text-387","type":"text","heading":"","plain_text":"class all real,guest,anonymous *","html":"

class all real,guest,anonymous *

"},{"id":"text-388","type":"text","heading":"","plain_text":"GUI FTP configuration tools:","html":"

GUI FTP configuration tools:

"},{"id":"text-389","type":"text","heading":"","plain_text":"/usr/bin/kwuftpd\n \n/sbin/linuxconf\n (Note: Linuxconf is no longer included with Red Hat 7.3 and later)","html":"

/usr/bin/kwuftpd\n \n/sbin/linuxconf\n (Note: Linuxconf is no longer included with Red Hat 7.3 and later)

"},{"id":"text-390","type":"text","heading":"","plain_text":"Red Hat Linux assigns users a user id and group id which is the same.\n    This means that it does not matter if you use a realuser ou\n realgroup directive as they will act the same.","html":"

Red Hat Linux assigns users a user id and group id which is the same.\n    This means that it does not matter if you use a realuser ou\n realgroup directive as they will act the same.

"},{"id":"text-391","type":"text","heading":"","plain_text":"Red Hat Linux 7.1 and later uses the xinet daemon to manage ftp connections.\n    Thus xinetd must be running and configured to support ftp. le\n    configuration file is /etc/xinetd.d/wu-ftpd.\n    The command chkconfig wu-ftpd on will make the ftp server available.\n    See xinet configuration for more info.","html":"

Red Hat Linux 7.1 and later uses the xinet daemon to manage ftp connections.\n    Thus xinetd must be running and configured to support ftp. le\n    configuration file is /etc/xinetd.d/wu-ftpd.\n    The command chkconfig wu-ftpd on will make the ftp server available.\n    See xinet configuration for more info.

"},{"id":"text-392","type":"text","heading":"","plain_text":"Allow override of deny-uid et / ou deny-gid:","html":"

Allow override of deny-uid et / ou deny-gid:

"},{"id":"text-393","type":"text","heading":"","plain_text":"allow-uid user-to-allow\n \n \n \n allow-gid group-to-allow","html":"

allow-uid user-to-allow\n \n \n \n allow-gid group-to-allow

"},{"id":"text-394","type":"text","heading":"","plain_text":"Optional configuration:","html":"

Optional configuration:

"},{"id":"text-395","type":"text","heading":"","plain_text":"Create a group ftpchroot\n \nAdd users to this group\n \nUse directive: guestgroup ftpchroot","html":"

Create a group ftpchroot\n \nAdd users to this group\n \nUse directive: guestgroup ftpchroot

"},{"id":"text-396","type":"text","heading":"","plain_text":"[Potential Pitfall]: Flaky ftp behavior,\ntimeouts, etc?? FTP works best with name resolution of the computer it is\ncommunicating with.\nThis requires proper /etc/resolv.conf and name server (bind)\nconfiguration, /etc/hosts or NIS/NFS configuration.","html":"

[Potential Pitfall]: Flaky ftp behavior,\ntimeouts, etc?? FTP works best with name resolution of the computer it is\ncommunicating with.\nThis requires proper /etc/resolv.conf and name server (bind)\nconfiguration, /etc/hosts or NIS/NFS configuration.

"},{"id":"text-397","type":"text","heading":"","plain_text":"Fichier /home/user1/public_html/etc/pathmsg:","html":"

Fichier /home/user1/public_html/etc/pathmsg:

"},{"id":"text-398","type":"text","heading":"","plain_text":"A NOTE TO USERS UPLOADING FILES:\n   File names may consist of letters (a-z, A-Z), numbers (0-9),\n   an under score ("_"), dash ("-") or period (".") only.\n   The file name may not begin with a period or dash.\n   You have tried to upload a file with an inappropriate name.","html":"

A NOTE TO USERS UPLOADING FILES:\n   File names may consist of letters (a-z, A-Z), numbers (0-9),\n   an under score ("_"), dash ("-") or period (".") only.\n   The file name may not begin with a period or dash.\n   You have tried to upload a file with an inappropriate name.

"},{"id":"text-399","type":"text","heading":"","plain_text":"The whole point of the chroot directory is to make the\nuser's home directory appear to be the root of the\nfilesystem (/) so one could not wander around the filesystem.\nConfiguration of /etc/ftpaccess will limit the user to their respective\ndirectories while still offering access to /bin/ls and other system commands\nused in FTP operation.","html":"

The whole point of the chroot directory is to make the\nuser's home directory appear to be the root of the\nfilesystem (/) so one could not wander around the filesystem.\nConfiguration of /etc/ftpaccess will limit the user to their respective\ndirectories while still offering access to /bin/ls and other system commands\nused in FTP operation.

"},{"id":"text-400","type":"text","heading":"","plain_text":"As root:","html":"

As root:

"},{"id":"text-401","type":"text","heading":"","plain_text":"cd /home/user1\n mkdir public_html\n   chown $1.$1 public_html\n   touch .rhosts - Security protection\n chmod ugo-xrw .rhosts","html":"

cd /home/user1\n mkdir public_html\n   chown $1.$1 public_html\n   touch .rhosts - Security protection\n chmod ugo-xrw .rhosts

"},{"id":"text-402","type":"text","heading":"","plain_text":"Man Pages:\nServeur:","html":"

Man Pages:\nServeur:

"},{"id":"text-403","type":"text","heading":"","plain_text":"ftpd – Internet File Transfer Protocol server","html":"

ftpd – Internet File Transfer Protocol server

"},{"id":"text-404","type":"text","heading":"","plain_text":"File Formats:","html":"

File Formats:

"},{"id":"text-405","type":"text","heading":"","plain_text":"/etc/ftpaccess – Configuration file for ftpd","html":"

/etc/ftpaccess – Configuration file for ftpd

"},{"id":"text-406","type":"text","heading":"","plain_text":"/etc/ftpservers – ftpd virtual hosting configuration file. (optionnel)","html":"

/etc/ftpservers – ftpd virtual hosting configuration file. (optionnel)

"},{"id":"text-407","type":"text","heading":"","plain_text":"/etc/ftphosts – allow or deny access to certain accounts from various hosts. (optionnel)","html":"

/etc/ftphosts – allow or deny access to certain accounts from various hosts. (optionnel)

"},{"id":"text-408","type":"text","heading":"","plain_text":"/etc/ftpconversions – ftpd conversions database (for tar and compression)","html":"

/etc/ftpconversions – ftpd conversions database (for tar and compression)

"},{"id":"text-409","type":"text","heading":"","plain_text":"/var/log/xferlog – FTP server logfile","html":"

/var/log/xferlog – FTP server logfile

"},{"id":"text-410","type":"text","heading":"","plain_text":"ftp – File Transfer Client program","html":"

ftp – File Transfer Client program

"},{"id":"text-411","type":"text","heading":"","plain_text":"Configuration files: (RH 8.0+)","html":"

Configuration files: (RH 8.0+)

"},{"id":"text-412","type":"text","heading":"","plain_text":"PAM configuration file: /etc/pam.d/ftp","html":"

PAM configuration file: /etc/pam.d/ftp

"},{"id":"text-413","type":"text","heading":"","plain_text":"#%PAM-1.0\nauth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed\nauth required pam_stack.so service=system-auth\nauth required pam_shells.so\naccount required pam_stack.so service=system-auth\nsession required pam_stack.so service=system-auth","html":"

#%PAM-1.0\nauth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed\nauth required pam_stack.so service=system-auth\nauth required pam_shells.so\naccount required pam_stack.so service=system-auth\nsession required pam_stack.so service=system-auth

"},{"id":"text-414","type":"text","heading":"","plain_text":"Xinetd configuration file: /etc/xinetd.d/wu-ftpd","html":"

Xinetd configuration file: /etc/xinetd.d/wu-ftpd

"},{"id":"text-415","type":"text","heading":"","plain_text":"service ftp","html":"

service ftp

"},{"id":"text-416","type":"text","heading":"","plain_text":"        disable = no\n        socket_type = stream\n        wait = no\n        user = root\n        server = /usr/sbin/in.ftpd\n        server_args = -l -a\n        log_on_success += DURATION USERID\n        log_on_failure += USERID\n        nice = 10","html":"

        disable = no\n        socket_type = stream\n        wait = no\n        user = root\n        server = /usr/sbin/in.ftpd\n        server_args = -l -a\n        log_on_success += DURATION USERID\n        log_on_failure += USERID\n        nice = 10

"},{"id":"text-417","type":"text","heading":"","plain_text":"Note: wu-FTPd is controlled by xinetd and not a stand alone service like vsFTPd.","html":"

Note: wu-FTPd is controlled by xinetd and not a stand alone service like vsFTPd.

"},{"id":"text-418","type":"text","heading":"","plain_text":"Logrotate configuration file: /etc/logrotate.d/ftpd\n/var/log/xferlog nocompress","html":"

Logrotate configuration file: /etc/logrotate.d/ftpd\n/var/log/xferlog nocompress

"},{"id":"text-419","type":"text","heading":"","plain_text":"Plus d'information:\nMan pages on related FTP commands and files:","html":"

Plus d'information:\nMan pages on related FTP commands and files:

"},{"id":"text-420","type":"text","heading":"","plain_text":"chroot – Run with a special root directory\n \nftpcount – Show number of concurrent users.\n \nftpshut – close down the ftp servers at a given time\n \nftprestart – Restart previously shutdown ftp servers\n \nftpwho – show current process information for each ftp user\n \nprivatepw – Change WU-FTPD Group Access File Information (admin command)","html":"

chroot – Run with a special root directory\n \nftpcount – Show number of concurrent users.\n \nftpshut – close down the ftp servers at a given time\n \nftprestart – Restart previously shutdown ftp servers\n \nftpwho – show current process information for each ftp user\n \nprivatepw – Change WU-FTPD Group Access File Information (admin command)

"},{"id":"text-421","type":"text","heading":"","plain_text":"Other FTP daemons:\nFTP Pitfalls:","html":"

Other FTP daemons:\nFTP Pitfalls:

"},{"id":"text-422","type":"text","heading":"","plain_text":"If you get the following error:","html":"

If you get the following error:

"},{"id":"text-423","type":"text","heading":"","plain_text":"ftp> ls227 Entering Passive Mode (208,188,34,109,208,89)ftp: connect: No route to host\nThis means you have firewall issues most probably on the FTP server itself.\nStart by removing the firewall "iptables" rules: iptables -F\nAdd rules until you discover what is causing the problem.","html":"

ftp> ls227 Entering Passive Mode (208,188,34,109,208,89)ftp: connect: No route to host\nThis means you have firewall issues most probably on the FTP server itself.\nStart by removing the firewall "iptables" rules: iptables -F\nAdd rules until you discover what is causing the problem.

"},{"id":"text-424","type":"text","heading":"","plain_text":"Passive mode:\nPassive mode can also help one past the rules:\nftp> passivePassive mode on.\nThis toggles passive mode on and off.\nWhen on, FTP will be limited to ports specified in the vsftpd configuration file: vsftpd.conf with the parameters pasv_min_port et pasv_max_port\nFirewall connection tracking module:\n# cat /etc/sysconfig/iptables-config | grep ip_nat_ftpIPTABLES_MODULES="ip_conntrack_ftp"\nNAT firewall modules:\nYou can also try adding ip_nat_ftp to the list of auto-loaded modules:\n(This will also load the dependency: ip_conntrack_ftp.)\n# cat /etc/sysconfig/iptables-config | grep ip_nat_ftpIPTABLES_MODULES="ip_nat_ftp"\nThen restart the firewall: /etc/init.d/iptables condrestart\nFTP will change ports during use. le ip_conntrack_ftp module will\nconsider each connection "RELATED". If iptables allows RELATED and ESTABLISHED connections then FTP will work.\ni.e. rule: /etc/sysconfig/iptables","html":"

Passive mode:\nPassive mode can also help one past the rules:\nftp> passivePassive mode on.\nThis toggles passive mode on and off.\nWhen on, FTP will be limited to ports specified in the vsftpd configuration file: vsftpd.conf with the parameters pasv_min_port et pasv_max_port\nFirewall connection tracking module:\n# cat /etc/sysconfig/iptables-config | grep ip_nat_ftpIPTABLES_MODULES="ip_conntrack_ftp"\nNAT firewall modules:\nYou can also try adding ip_nat_ftp to the list of auto-loaded modules:\n(This will also load the dependency: ip_conntrack_ftp.)\n# cat /etc/sysconfig/iptables-config | grep ip_nat_ftpIPTABLES_MODULES="ip_nat_ftp"\nThen restart the firewall: /etc/init.d/iptables condrestart\nFTP will change ports during use. le ip_conntrack_ftp module will\nconsider each connection "RELATED". If iptables allows RELATED and ESTABLISHED connections then FTP will work.\ni.e. rule: /etc/sysconfig/iptables

"},{"id":"text-425","type":"text","heading":"","plain_text":"-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\nFTP fails because it can not change to the users home directory:\nErreur:","html":"

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\nFTP fails because it can not change to the users home directory:\nErreur:

"},{"id":"text-426","type":"text","heading":"","plain_text":"[user1@nodex ~]$ ftp node.domain.com","html":"

[user1@nodex ~]$ ftp node.domain.com

"},{"id":"text-427","type":"text","heading":"","plain_text":"Connected to XXX.XXX.XXX.XXX.\n530 Please login with USER and PASS.\n530 Please login with USER and PASS.\nKERBEROS_V4 rejected as an authentication type\nName (XXX.XXX.XXX.XXX:user1):\n331 Please specify the password.\nMot de passe:\n500 OOPS: cannot change directory:/home/user1\nLogin failed.\nftp> bye","html":"

Connected to XXX.XXX.XXX.XXX.\n530 Please login with USER and PASS.\n530 Please login with USER and PASS.\nKERBEROS_V4 rejected as an authentication type\nName (XXX.XXX.XXX.XXX:user1):\n331 Please specify the password.\nMot de passe:\n500 OOPS: cannot change directory:/home/user1\nLogin failed.\nftp> bye

"},{"id":"text-428","type":"text","heading":"","plain_text":"This is often a result of SELinux preventing the vsftpd process from accessing the user's home directory.\nAs root, grant access with the following command:\nsetsebool -P ftp_home_dir 1\nFollowed by: service vsftpd restart","html":"

This is often a result of SELinux preventing the vsftpd process from accessing the user's home directory.\nAs root, grant access with the following command:\nsetsebool -P ftp_home_dir 1\nFollowed by: service vsftpd restart

"},{"id":"text-429","type":"text","heading":"","plain_text":"Test your vsftpd SELinux settings: getsebool -a | grep ftp","html":"

Test your vsftpd SELinux settings: getsebool -a | grep ftp

"},{"id":"text-430","type":"text","heading":"","plain_text":"allow_ftpd_anon_write --> off\nallow_ftpd_full_access --> off\nallow_ftpd_use_cifs --> off\nallow_ftpd_use_nfs --> off\nallow_tftp_anon_write --> off\nftp_home_dir --> on\nftpd_disable_trans --> off\nftpd_is_daemon --> on\nhttpd_enable_ftp_server --> off\ntftpd_disable_trans --> off","html":"

allow_ftpd_anon_write --> off\nallow_ftpd_full_access --> off\nallow_ftpd_use_cifs --> off\nallow_ftpd_use_nfs --> off\nallow_tftp_anon_write --> off\nftp_home_dir --> on\nftpd_disable_trans --> off\nftpd_is_daemon --> on\nhttpd_enable_ftp_server --> off\ntftpd_disable_trans --> off

"},{"id":"text-431","type":"text","heading":"","plain_text":"FTPd SELinux man page","html":"

FTPd SELinux man page

"},{"id":"text-432","type":"text","heading":"","plain_text":"FTP Linux clients:","html":"

FTP Linux clients:

"},{"id":"text-433","type":"text","heading":"","plain_text":"gftp: GUI GTK+\nMulti-threaded client. File transfer directory browsing and compare.\nMultiple protocols: FTP, FTPS (control connection only), HTTP, HTTPS,\nSSH and FSP protocols. Proxy support. Comes with Red Hat / Fedora Core.\n \nKFTPgrabber: GUI KDE based client.simultaneous FTP sessions in separate tabs. Ability to limit upload and download speed.\n \nkbear:\nGUI KDE based client. Connect to multiple servers, transfer files,\ndirectory browsing, file content browsing. Comes with S.U.S.e. Linux.\n \nftp: (/usr/kerberos/bin/ftp) kerberos enabled console ftp client. (RPM package FC3: krb5-workstation)","html":"

gftp: GUI GTK+\nMulti-threaded client. File transfer directory browsing and compare.\nMultiple protocols: FTP, FTPS (control connection only), HTTP, HTTPS,\nSSH and FSP protocols. Proxy support. Comes with Red Hat / Fedora Core.\n \nKFTPgrabber: GUI KDE based client.simultaneous FTP sessions in separate tabs. Ability to limit upload and download speed.\n \nkbear:\nGUI KDE based client. Connect to multiple servers, transfer files,\ndirectory browsing, file content browsing. Comes with S.U.S.e. Linux.\n \nftp: (/usr/kerberos/bin/ftp) kerberos enabled console ftp client. (RPM package FC3: krb5-workstation)

"},{"id":"text-434","type":"text","heading":"","plain_text":"Basic user security:","html":"

Basic user security:

"},{"id":"text-435","type":"text","heading":"","plain_text":"When hosting web sites, there is no need to grant a shell account which only\nallows the server to have more potential security holes. Current systems can\nspecify the user to have only FTP access with no shell by granting them the\n"shell" /sbin/nologin provided with the system or the "ftponly"\nshell described below. The shell can be specified in the file /etc/passwd of when creating a user with the command adduser -s /sbin/nologin user-id","html":"

When hosting web sites, there is no need to grant a shell account which only\nallows the server to have more potential security holes. Current systems can\nspecify the user to have only FTP access with no shell by granting them the\n"shell" /sbin/nologin provided with the system or the "ftponly"\nshell described below. The shell can be specified in the file /etc/passwd of when creating a user with the command adduser -s /sbin/nologin user-id

"},{"id":"text-436","type":"text","heading":"","plain_text":"[Potential Pitfall]: Red Hat 7.3 server with wu-ftp server 2.6.2-5\ndoes not support this configuration to prevent shell access.\nIt requires users to have a real user shell.\nc'est à dire. / bin / bash It works great in older and current Red Hat versions.\nIf it works for you, use it, as it is more secure to deny the user shell access. You can always deny telnet access.\nYou should NOT be using this problem ridden version of ftpd. Use the latest\nwu-ftpd-2.6.2-11 which supports users with shell /opt/bin/ftponly","html":"

[Potential Pitfall]: Red Hat 7.3 server with wu-ftp server 2.6.2-5\ndoes not support this configuration to prevent shell access.\nIt requires users to have a real user shell.\nc'est à dire. / bin / bash It works great in older and current Red Hat versions.\nIf it works for you, use it, as it is more secure to deny the user shell access. You can always deny telnet access.\nYou should NOT be using this problem ridden version of ftpd. Use the latest\nwu-ftpd-2.6.2-11 which supports users with shell /opt/bin/ftponly

"},{"id":"text-437","type":"text","heading":"","plain_text":"[Potential Pitfall]: Ubuntu – Setting the shell to the pre-configured shell /bin/false will NOT allow vsftp access.\nOne must create the shell "ftponly" as defined below to allow vsftp access with no shell.","html":"

[Potential Pitfall]: Ubuntu – Setting the shell to the pre-configured shell /bin/false will NOT allow vsftp access.\nOne must create the shell "ftponly" as defined below to allow vsftp access with no shell.

"},{"id":"text-438","type":"text","heading":"","plain_text":"Disable remote telnet login access allowing FTP access only:","html":"

Disable remote telnet login access allowing FTP access only:

"},{"id":"text-439","type":"text","heading":"","plain_text":"Change the shell for the user in /etc/passwd de / bin / bash être /opt/bin/ftponly.","html":"

Change the shell for the user in /etc/passwd de / bin / bash être /opt/bin/ftponly.

"},{"id":"text-440","type":"text","heading":"","plain_text":"...\nuser1:x:502:503::/home/user1:/opt/bin/ftponly\n...\n \n Create file: /opt/bin/ftponly.\n Protection set to -rwxr-xr-x 1 root root \n with the command: chmod ugo+x /opt/bin/ftponly\n Contents of file:","html":"

...\nuser1:x:502:503::/home/user1:/opt/bin/ftponly\n...\n \n Create file: /opt/bin/ftponly.\n Protection set to -rwxr-xr-x 1 root root \n with the command: chmod ugo+x /opt/bin/ftponly\n Contents of file:

"},{"id":"text-441","type":"text","heading":"","plain_text":"#!/bin/sh\n#\n# ftponly shell\n#\ntrap "/bin/echo Sorry; exit 0" 1 2 3 4 5 6 7 10 15\n#\nAdmin=root@your-domain.com\n#System=`/bin/hostname`@`/bin/domainname`\n#\n/bin/echo\n/bin/echo "********************************************************************"\n/bin/echo " You are NOT allowed interactive access."\n/bin/echo\n/bin/echo " User accounts are restricted to ftp and web access."\n/bin/echo\n/bin/echo " Direct questions concerning this policy to $Admin."\n/bin/echo "********************************************************************"\n/bin/echo\n#\n# C'ya\n#\nexit 0","html":"

#!/bin/sh\n#\n# ftponly shell\n#\ntrap "/bin/echo Sorry; exit 0" 1 2 3 4 5 6 7 10 15\n#\nAdmin=root@your-domain.com\n#System=`/bin/hostname`@`/bin/domainname`\n#\n/bin/echo\n/bin/echo "********************************************************************"\n/bin/echo " You are NOT allowed interactive access."\n/bin/echo\n/bin/echo " User accounts are restricted to ftp and web access."\n/bin/echo\n/bin/echo " Direct questions concerning this policy to $Admin."\n/bin/echo "********************************************************************"\n/bin/echo\n#\n# C'ya\n#\nexit 0

"},{"id":"text-442","type":"text","heading":"","plain_text":"The last step is to add this to the list of valid shells on the system.\n Add the line /opt/bin/ftponly à /etc/shells.\n \n Sample file contents: /etc/shells","html":"

The last step is to add this to the list of valid shells on the system.\n Add the line /opt/bin/ftponly à /etc/shells.\n \n Sample file contents: /etc/shells

"},{"id":"text-443","type":"text","heading":"","plain_text":"/ bin / bash\n/bin/bash1\n/bin/tcsh\n/bin/csh\n/opt/bin/ftponly\n \n See man page on /etc/shells.","html":"

/ bin / bash\n/bin/bash1\n/bin/tcsh\n/bin/csh\n/opt/bin/ftponly\n \n See man page on /etc/shells.

"},{"id":"text-444","type":"text","heading":"","plain_text":"An alternative would be to assign the shell /bin/false ou /sbin/nologin qui est devenu\navailable in later releases of Red Hat, Debian and Ubuntu. In this case the shell /bin/false ou /sbin/nologin would have to be added to /etc/shells to allow them to be used as a valid shell for FTP while disabling ssh or telnet access.","html":"

An alternative would be to assign the shell /bin/false ou /sbin/nologin qui est devenu\navailable in later releases of Red Hat, Debian and Ubuntu. In this case the shell /bin/false ou /sbin/nologin would have to be added to /etc/shells to allow them to be used as a valid shell for FTP while disabling ssh or telnet access.

"},{"id":"text-445","type":"text","heading":"","plain_text":"Set file quotas to limit user account.","html":"

Set file quotas to limit user account.

"},{"id":"text-446","type":"text","heading":"","plain_text":"For more on Linux security see the: YoLinux.com Internet web site Linux server security tutorial\n \nDomain Name Server (DNS) configuration using Bind version 8 or 9:","html":"

For more on Linux security see the: YoLinux.com Internet web site Linux server security tutorial\n \nDomain Name Server (DNS) configuration using Bind version 8 or 9:

"},{"id":"text-447","type":"text","heading":"","plain_text":"Two of the most popular ways to configure the program Bind\n(Berkeley Internet Domain software) to perform DNS\nservices is in the role of (1) ISP or (2) Web Host.","html":"

Two of the most popular ways to configure the program Bind\n(Berkeley Internet Domain software) to perform DNS\nservices is in the role of (1) ISP or (2) Web Host.

"},{"id":"text-448","type":"text","heading":"","plain_text":"In an ISP configuration for clients (web surfers) connected to the internet, the DNS server must resolve IP addresses for any\nURL the user wishes to visit. (See DNS caching server)\n \nIn a purely web hosting configuration, Bind will only resolve for the\nIP addresses of the domains which are being hosted. This is the configuration\nwhich will be discussed and is often called an "Authoritative-only Nameserver".","html":"

In an ISP configuration for clients (web surfers) connected to the internet, the DNS server must resolve IP addresses for any\nURL the user wishes to visit. (See DNS caching server)\n \nIn a purely web hosting configuration, Bind will only resolve for the\nIP addresses of the domains which are being hosted. This is the configuration\nwhich will be discussed and is often called an "Authoritative-only Nameserver".

"},{"id":"text-449","type":"text","heading":"","plain_text":"When resolving IP addresses for a domain, Internic is\nexpecting a "Primary"\nand a "Secondary" DNS name server. (Sometimes called Master and Slave)\nEach DNS name server requires the file /etc/named.conf and the files it\npoints to.\nThis is typically two separate computer systems hosted on two different\nIP addresses. It is not necessary that the Linux servers be dedicated to\nDNS as they may run a web server, mail server, etc.","html":"

When resolving IP addresses for a domain, Internic is\nexpecting a "Primary"\nand a "Secondary" DNS name server. (Sometimes called Master and Slave)\nEach DNS name server requires the file /etc/named.conf and the files it\npoints to.\nThis is typically two separate computer systems hosted on two different\nIP addresses. It is not necessary that the Linux servers be dedicated to\nDNS as they may run a web server, mail server, etc.

"},{"id":"text-450","type":"text","heading":"","plain_text":"Note on Bind versions: Red Hat versions 6.x used Bind version 8.\nRelease 7.1 of Red Hat began using Bind version 9 and the GUI configuration\noutil bindconf was introduced for those of you that like a pretty\npoint and click interface for configuration.\n \nInstallation Packages:","html":"

Note on Bind versions: Red Hat versions 6.x used Bind version 8.\nRelease 7.1 of Red Hat began using Bind version 9 and the GUI configuration\noutil bindconf was introduced for those of you that like a pretty\npoint and click interface for configuration.\n \nInstallation Packages:

"},{"id":"text-451","type":"text","heading":"","plain_text":"Red Hat / Fedora Core / CentOS: bind, bind-chroot, bind-libs, bind-utils, system-config-bind","html":"

Red Hat / Fedora Core / CentOS: bind, bind-chroot, bind-libs, bind-utils, system-config-bind

"},{"id":"text-452","type":"text","heading":"","plain_text":"bind-chroot: Security jail for operation of bind.\nbind-utils: Utility commands like nslookup, host, dig\nsystem-config-bind: GUI config tool system-config-bind and related configuration files (/etc/security/console.apps/bindconf).\ncaching-nameserver: We will not be covering this as it is not required for web hosting. This is used by internet providers so their clients can cache the DNS entries of the sites they are visiting.","html":"

bind-chroot: Security jail for operation of bind.\nbind-utils: Utility commands like nslookup, host, dig\nsystem-config-bind: GUI config tool system-config-bind and related configuration files (/etc/security/console.apps/bindconf).\ncaching-nameserver: We will not be covering this as it is not required for web hosting. This is used by internet providers so their clients can cache the DNS entries of the sites they are visiting.

"},{"id":"text-453","type":"text","heading":"","plain_text":"Ubuntu (dapper/hardy/natty) / Debian: bind9","html":"

Ubuntu (dapper/hardy/natty) / Debian: bind9

"},{"id":"text-454","type":"text","heading":"","plain_text":"Configuration files:","html":"

Configuration files:

"},{"id":"text-455","type":"text","heading":"","plain_text":"Red Hat / Fedora / CentOS:","html":"

Red Hat / Fedora / CentOS:

"},{"id":"text-456","type":"text","heading":"","plain_text":"Fichier\nLa description\nDirectory\nChrooted Directory","html":"

Fichier\nLa description\nDirectory\nChrooted Directory

"},{"id":"text-457","type":"text","heading":"","plain_text":"named.conf\nPrimary/Secondary DNS server configuration.(See default file /usr/share/doc/bind-9.X.X/sample/etc/named.conf)\n/etc/\n/var/named/chroot/etc/","html":"

named.conf\nPrimary/Secondary DNS server configuration.(See default file /usr/share/doc/bind-9.X.X/sample/etc/named.conf)\n/etc/\n/var/named/chroot/etc/

"},{"id":"text-458","type":"text","heading":"","plain_text":"named.root.hints\nConfiguration for recursive service. Required for all zones.(See default file /usr/share/doc/bind-9.X.X/sample/etc/named.root.hints)\n/etc/\n/var/named/chroot/etc/","html":"

named.root.hints\nConfiguration for recursive service. Required for all zones.(See default file /usr/share/doc/bind-9.X.X/sample/etc/named.root.hints)\n/etc/\n/var/named/chroot/etc/

"},{"id":"text-459","type":"text","heading":"","plain_text":"nommé\nRed Hat system variables.\n/etc/sysconfig/\npas de changement","html":"

nommé\nRed Hat system variables.\n/etc/sysconfig/\npas de changement

"},{"id":"text-460","type":"text","heading":"","plain_text":"rndc.key\nPrimary/Secondary DNS server configuration.\n/etc/\n/var/named/chroot/etc/","html":"

rndc.key\nPrimary/Secondary DNS server configuration.\n/etc/\n/var/named/chroot/etc/

"},{"id":"text-461","type":"text","heading":"","plain_text":"Zone files\nConfiguration files for each domain. Create this file to resolve host name internet queries i.e. define IP address of web (www) and mail servers in the domain.\n/var/named/\n/var/named/chroot/var/named/","html":"

Zone files\nConfiguration files for each domain. Create this file to resolve host name internet queries i.e. define IP address of web (www) and mail servers in the domain.\n/var/named/\n/var/named/chroot/var/named/

"},{"id":"text-462","type":"text","heading":"","plain_text":"Debian / Ubuntu:","html":"

Debian / Ubuntu:

"},{"id":"text-463","type":"text","heading":"","plain_text":"Fichier\nLa description\nDirectory\nChrooted Directory","html":"

Fichier\nLa description\nDirectory\nChrooted Directory

"},{"id":"text-464","type":"text","heading":"","plain_text":"named.confnamed.conf.optionsnamed.conf.local\nPrimary/Secondary DNS server configuration.\n/etc/bind/\n/var/bind/chroot/etc/bind/","html":"

named.confnamed.conf.optionsnamed.conf.local\nPrimary/Secondary DNS server configuration.\n/etc/bind/\n/var/bind/chroot/etc/bind/

"},{"id":"text-465","type":"text","heading":"","plain_text":"rndc.key\nPrimary/Secondary DNS server configuration.\n/etc/\n/var/bind/chroot/etc/","html":"

rndc.key\nPrimary/Secondary DNS server configuration.\n/etc/\n/var/bind/chroot/etc/

"},{"id":"text-466","type":"text","heading":"","plain_text":"Zone files\nConfiguration files for each domain.\n/var/bind/data/\n/var/bind/chroot/var/bind/data/","html":"

Zone files\nConfiguration files for each domain.\n/var/bind/data/\n/var/bind/chroot/var/bind/data/

"},{"id":"text-467","type":"text","heading":"","plain_text":"Primary server (master):\n File: named.conf\nRed Hat / Fedora Core / CentOS: /etc/named.conf (chroot dir: /var/named/chroot/etc/named.conf) et /etc/sysconfig/named for system variables.\n Ubuntu / Debian: /etc/bind/named.conf Place local definitions in /etc/bind/named.conf.options et /etc/bind/named.conf.local\n Simple example: (no views)","html":"

Primary server (master):\n File: named.conf\nRed Hat / Fedora Core / CentOS: /etc/named.conf (chroot dir: /var/named/chroot/etc/named.conf) et /etc/sysconfig/named for system variables.\n Ubuntu / Debian: /etc/bind/named.conf Place local definitions in /etc/bind/named.conf.options et /etc/bind/named.conf.local\n Simple example: (no views)

"},{"id":"text-468","type":"text","heading":"","plain_text":"options - Ubuntu stores options in /etc/bind/named.conf.options\n \n \n \n version "Bind"; - Don't disclose real version to hackers\n \n \n \n directory "/var/named"; - Specified so relative path names can be used. Full path names still allowed.\n \n \n \n allow-transfer XXX.XXX.XXX.XXX; ; - IP address of secondary DNS\n \n \n \n recursion no;\n        auth-nxdomain no; - conform to RFC1035. (default)\n fetch-glue no; - Bind 8 only! Not used by version 9","html":"

options - Ubuntu stores options in /etc/bind/named.conf.options\n \n \n \n version "Bind"; - Don't disclose real version to hackers\n \n \n \n directory "/var/named"; - Specified so relative path names can be used. Full path names still allowed.\n \n \n \n allow-transfer XXX.XXX.XXX.XXX; ; - IP address of secondary DNS\n \n \n \n recursion no;\n        auth-nxdomain no; - conform to RFC1035. (default)\n fetch-glue no; - Bind 8 only! Not used by version 9

"},{"id":"text-469","type":"text","heading":"","plain_text":";","html":"

;

"},{"id":"text-470","type":"text","heading":"","plain_text":"zone "localhost" \n        type master;\n        file "/etc/bind/db.local";\n;\nzone "0.0.127.in-addr.arpa" \n        type master;\n        file "/etc/bind/db.127";\n;","html":"

zone "localhost" \n        type master;\n        file "/etc/bind/db.local";\n;\nzone "0.0.127.in-addr.arpa" \n        type master;\n        file "/etc/bind/db.127";\n;

"},{"id":"text-471","type":"text","heading":"","plain_text":"zone "your-domain.com" - Ubuntu separates the zone definitions into /etc/bind/named.conf.local \n \n \n \n type master; - Specify master, slave, forward or hint\n \n \n \n file "data/named.your-domain.com"; \n        notify yes; - slave servers are notified when the zone is updated.\n \n \n \n allow-update none; ; - deny updates from other hosts (default: none)\n \n \n \n allow-query any; ; - allow clients to query this server (default: any)","html":"

zone "your-domain.com" - Ubuntu separates the zone definitions into /etc/bind/named.conf.local \n \n \n \n type master; - Specify master, slave, forward or hint\n \n \n \n file "data/named.your-domain.com"; \n        notify yes; - slave servers are notified when the zone is updated.\n \n \n \n allow-update none; ; - deny updates from other hosts (default: none)\n \n \n \n allow-query any; ; - allow clients to query this server (default: any)

"},{"id":"text-472","type":"text","heading":"","plain_text":";\nzone "your-domain-2.com"\n        type master;\n        file "data/named.your-domain-2.com";\n        notify yes;\n;","html":"

;\nzone "your-domain-2.com"\n        type master;\n        file "data/named.your-domain-2.com";\n        notify yes;\n;

"},{"id":"text-473","type":"text","heading":"","plain_text":"Remarque:","html":"

Remarque:

"},{"id":"text-474","type":"text","heading":"","plain_text":"The omission of zone ".". Required if providing a recursive service.","html":"

The omission of zone ".". Required if providing a recursive service.

"},{"id":"text-475","type":"text","heading":"","plain_text":"Ubuntu includes the separated file of zone directives using the directive:\n include "/etc/bind/named.conf.local";","html":"

Ubuntu includes the separated file of zone directives using the directive:\n include "/etc/bind/named.conf.local";

"},{"id":"text-476","type":"text","heading":"","plain_text":"BIND Views:\nThe BIND naming service can support "views" which allow various sub-networks (i.e. private internal or public external networks) to have a different domain name resolution result.","html":"

BIND Views:\nThe BIND naming service can support "views" which allow various sub-networks (i.e. private internal or public external networks) to have a different domain name resolution result.

"},{"id":"text-477","type":"text","heading":"","plain_text":"If no views are specified then use the configuration shown above.","html":"

If no views are specified then use the configuration shown above.

"},{"id":"text-478","type":"text","heading":"","plain_text":"The match-up between the "view" and the view client which receives the DNS information is specified by the match-clients statement.","html":"

The match-up between the "view" and the view client which receives the DNS information is specified by the match-clients statement.

"},{"id":"text-479","type":"text","heading":"","plain_text":"If even one view is specified, then ALL zones MUST be associated with a "view".","html":"

If even one view is specified, then ALL zones MUST be associated with a "view".

"},{"id":"text-480","type":"text","heading":"","plain_text":"Bind 9 allows for views which allow different zones to be served to different types of clients, localhost, private networks and public networks. This maps to the three view names "localhost_resolver", "interne" and "externe":","html":"

Bind 9 allows for views which allow different zones to be served to different types of clients, localhost, private networks and public networks. This maps to the three view names "localhost_resolver", "interne" and "externe":

"},{"id":"text-481","type":"text","heading":"","plain_text":"localhost_resolver: Supports name resolution for the system (localhost) using BIND. Support for use of bind also has to be configured in /etc/nsswitch.conf\n \ninternal: User specified Local Area Network (LAN). If not used to support a local private LAN, remove (or comment out) this view.\n \nexternal: The general public internet defined as client "any".","html":"

localhost_resolver: Supports name resolution for the system (localhost) using BIND. Support for use of bind also has to be configured in /etc/nsswitch.conf\n \ninternal: User specified Local Area Network (LAN). If not used to support a local private LAN, remove (or comment out) this view.\n \nexternal: The general public internet defined as client "any".

"},{"id":"text-482","type":"text","heading":"","plain_text":"If you are only setting up a caching name server, then only specify the view "localhost_resolver" (delete all other views).","html":"

If you are only setting up a caching name server, then only specify the view "localhost_resolver" (delete all other views).

"},{"id":"text-483","type":"text","heading":"","plain_text":"In order to support a DNS for internet domains using views, one will have to configure an "external" view","html":"

In order to support a DNS for internet domains using views, one will have to configure an "external" view

"},{"id":"text-484","type":"text","heading":"","plain_text":"Typical Red Hat Enterprise 5 example: (Bind 9.3.4 with three "views")","html":"

Typical Red Hat Enterprise 5 example: (Bind 9.3.4 with three "views")

"},{"id":"text-485","type":"text","heading":"","plain_text":"options","html":"

options

"},{"id":"text-486","type":"text","heading":"","plain_text":"        directory "/var/named"; // the default\n        dump-file "data/cache_dump.db";\n        statistics-file "data/named_stats.txt";\n        memstatistics-file "data/named_mem_stats.txt";","html":"

        directory "/var/named"; // the default\n        dump-file "data/cache_dump.db";\n        statistics-file "data/named_stats.txt";\n        memstatistics-file "data/named_mem_stats.txt";

"},{"id":"text-487","type":"text","heading":"","plain_text":";\nenregistrement","html":"

;\nenregistrement

"},{"id":"text-488","type":"text","heading":"","plain_text":"    // By default, SELinux policy does not allow named to modify the /var/named\n    // directory, so put the default debug log file in data/ :\n \n        channel default_debug \n                file "data/named.run";\n                severity dynamic;\n        ;\n;\nview "localhost_resolver"","html":"

    // By default, SELinux policy does not allow named to modify the /var/named\n    // directory, so put the default debug log file in data/ :\n \n        channel default_debug \n                file "data/named.run";\n                severity dynamic;\n        ;\n;\nview "localhost_resolver"

"},{"id":"text-489","type":"text","heading":"","plain_text":"    // This view sets up named to be a localhost resolver ( caching only nameserver ).\n    // If all you want is a caching-only nameserver, then you need only define this view:\n    match-clients localhost; ;\n    ...\n;\nview "internal"","html":"

    // This view sets up named to be a localhost resolver ( caching only nameserver ).\n    // If all you want is a caching-only nameserver, then you need only define this view:\n    match-clients localhost; ;\n    ...\n;\nview "internal"

"},{"id":"text-490","type":"text","heading":"","plain_text":"    // This view will contain zones you want to serve only to "internal" clients\n    // that connect via your directly attached LAN interfaces - "localnets" .\n    // For local private LAN. Not covered in this tutorial.\n    // Delete this view if web hosting with no local LAN.\n    match-clients localnets; ;\n    ...\n;\nkey ddns_key","html":"

    // This view will contain zones you want to serve only to "internal" clients\n    // that connect via your directly attached LAN interfaces - "localnets" .\n    // For local private LAN. Not covered in this tutorial.\n    // Delete this view if web hosting with no local LAN.\n    match-clients localnets; ;\n    ...\n;\nkey ddns_key

"},{"id":"text-491","type":"text","heading":"","plain_text":"        algorithm hmac-md5;\n        secret "use /usr/sbin/dns-keygen to generate TSIG keys";\n;\nview "external"","html":"

        algorithm hmac-md5;\n        secret "use /usr/sbin/dns-keygen to generate TSIG keys";\n;\nview "external"

"},{"id":"text-492","type":"text","heading":"","plain_text":"    // This view will contain zones you want to serve only to "external" \n    // public internet clients. This is covered below.\n    match-clients any; ;\n    ...\n    ..\n;\n \n Default configuration files: Red Hat may supply the default configuration in: /usr/share/doc/bind-9.X.X/sample/etc/named.conf","html":"

    // This view will contain zones you want to serve only to "external" \n    // public internet clients. This is covered below.\n    match-clients any; ;\n    ...\n    ..\n;\n \n Default configuration files: Red Hat may supply the default configuration in: /usr/share/doc/bind-9.X.X/sample/etc/named.conf

"},{"id":"text-493","type":"text","heading":"","plain_text":"cp /usr/share/doc/bind-9.X.X/sample/etc/named.conf /var/named/chroot/etc\ncp /usr/share/doc/bind-9.X.X/sample/etc/named.root.hints /var/named/chroot/etc\nchcon -u system_u -r object_r -t named_conf_t /var/named/chroot/etc/named.conf /var/named/chroot/etc/named.root.hints","html":"

cp /usr/share/doc/bind-9.X.X/sample/etc/named.conf /var/named/chroot/etc\ncp /usr/share/doc/bind-9.X.X/sample/etc/named.root.hints /var/named/chroot/etc\nchcon -u system_u -r object_r -t named_conf_t /var/named/chroot/etc/named.conf /var/named/chroot/etc/named.root.hints

"},{"id":"text-494","type":"text","heading":"","plain_text":"view "localhost_resolver": If supporting a caching DNS server (not required to support a web domain) you will also need the files:","html":"

view "localhost_resolver": If supporting a caching DNS server (not required to support a web domain) you will also need the files:

"},{"id":"text-495","type":"text","heading":"","plain_text":"cp /usr/share/doc/bind-9.X.X/sample/etc/named.rfc1912.zones /var/named/chroot/etc\ncp /usr/share/doc/bind-9.X.X/sample/var/named/localdomain.zones /var/named/chroot/var/named\n also from /usr/share/doc/bind-9.X.X/sample/var/named/: localhost.zones, named.local, named.zero, named.broadcast, named.ip6.local, named.root","html":"

cp /usr/share/doc/bind-9.X.X/sample/etc/named.rfc1912.zones /var/named/chroot/etc\ncp /usr/share/doc/bind-9.X.X/sample/var/named/localdomain.zones /var/named/chroot/var/named\n also from /usr/share/doc/bind-9.X.X/sample/var/named/: localhost.zones, named.local, named.zero, named.broadcast, named.ip6.local, named.root

"},{"id":"text-496","type":"text","heading":"","plain_text":"view "external": (master) – details –","html":"

view "external": (master) – details –

"},{"id":"text-497","type":"text","heading":"","plain_text":"view "external"","html":"

view "external"

"},{"id":"text-498","type":"text","heading":"","plain_text":"/* This view will contain zones you want to serve only to "external" clients\n * that have addresses that are not on your directly attached LAN interface subnets:\n * /\n        match-clients any; ;\n        match-destinations any; ;\n        allow-transfer XXX.XXX.XXX.XXX; ; - IP address of secondary DNS","html":"

/* This view will contain zones you want to serve only to "external" clients\n * that have addresses that are not on your directly attached LAN interface subnets:\n * /\n        match-clients any; ;\n        match-destinations any; ;\n        allow-transfer XXX.XXX.XXX.XXX; ; - IP address of secondary DNS

"},{"id":"text-499","type":"text","heading":"","plain_text":"recursion no;\n        // you'd probably want to deny recursion to external clients, so you don't\n        // end up providing free DNS service to all takers","html":"

recursion no;\n        // you'd probably want to deny recursion to external clients, so you don't\n        // end up providing free DNS service to all takers

"},{"id":"text-500","type":"text","heading":"","plain_text":"        // all views must contain the root hints zone:\n        include "/etc/named.root.hints";","html":"

        // all views must contain the root hints zone:\n        include "/etc/named.root.hints";

"},{"id":"text-501","type":"text","heading":"","plain_text":"        // These are your "authoritative" external zones, and would probably\n        // contain entries for just your web and mail servers:","html":"

        // These are your "authoritative" external zones, and would probably\n        // contain entries for just your web and mail servers:

"},{"id":"text-502","type":"text","heading":"","plain_text":"        zone "your-domain.com" \n                type master;\n                file "/var/named/data/external/named.your-domain.com";\n                notify yes;\n                allow-update none; ;\n        ;\n \n // You can also add the zones as a separate file like they do in Ubuntu by adding the following statement\n \n \n \n include "/etc/named.conf.local"; \n;","html":"

        zone "your-domain.com" \n                type master;\n                file "/var/named/data/external/named.your-domain.com";\n                notify yes;\n                allow-update none; ;\n        ;\n \n // You can also add the zones as a separate file like they do in Ubuntu by adding the following statement\n \n \n \n include "/etc/named.conf.local"; \n;

"},{"id":"text-503","type":"text","heading":"","plain_text":"DNS key:","html":"

DNS key:

"},{"id":"text-504","type":"text","heading":"","plain_text":"Use the following command /usr/sbin/dns-keygen to create a key.\nAdd this key to the "secret" statement as follows:","html":"

Use the following command /usr/sbin/dns-keygen to create a key.\nAdd this key to the "secret" statement as follows:

"},{"id":"text-505","type":"text","heading":"","plain_text":"key ddns_key","html":"

key ddns_key

"},{"id":"text-506","type":"text","heading":"","plain_text":"        algorithm hmac-md5;\n        secret "XlYKYLF5Y7YOYFFFY6YiYYXyFFFFBYYYYFfYYYJiYFYFYYLVrnrWrrrqrrrq";\n;","html":"

        algorithm hmac-md5;\n        secret "XlYKYLF5Y7YOYFFFY6YiYYXyFFFFBYYYYFfYYYJiYFYFYYLVrnrWrrrqrrrq";\n;

"},{"id":"text-507","type":"text","heading":"","plain_text":"Man Pages:","html":"

Man Pages:

"},{"id":"text-508","type":"text","heading":"","plain_text":"Forward Zone File: /var/named/named.your-domain.com","html":"

Forward Zone File: /var/named/named.your-domain.com

"},{"id":"text-509","type":"text","heading":"","plain_text":"Red Hat 9 / CentOS 3: /var/named/named.your-domain.com\n Red Hat EL4/5, Fedora 3+, CentOS 4/5: [Chrooted] /var/named/chroot/var/named/data/named.your-domain.com\n Red Hat EL4/5, Fedora 3+, CentOS 4/5: /var/named/data/named.your-domain.com\n Ubuntu / Debian: /etc/bind/data/named.your-domain.com","html":"

Red Hat 9 / CentOS 3: /var/named/named.your-domain.com\n Red Hat EL4/5, Fedora 3+, CentOS 4/5: [Chrooted] /var/named/chroot/var/named/data/named.your-domain.com\n Red Hat EL4/5, Fedora 3+, CentOS 4/5: /var/named/data/named.your-domain.com\n Ubuntu / Debian: /etc/bind/data/named.your-domain.com

"},{"id":"text-510","type":"text","heading":"","plain_text":"$TTL 604800 - Bind 9 (and some of the later versions of Bind 8) requires $TTL statement.\n                     Measured in seconds. This value is 7 days.\nyour-domain.com. IN SOA ns1.your-domain.com. hostmaster.your-domain.com. (\n   2000021600 ; en série - Many people use year+month+day+integer as a system.\n \n \n \n 86400 ; rafraîchir - How often secondary servers (in seconds) should check in for changes in serial number. (86400 sec = 24 hrs)\n \n \n \n 7200 ; réessayez - How long secondary server should wait for a retry if contact failed.\n \n \n \n 1209600 ; expirer - Secondary server to purge info after this length of time.\n \n \n \n 86400 ) ; default_ttl - How long data is held in cache by remote servers.\n \n \n \n IN A XXX.XXX.XXX.XXX - Note that this is the default IP address of the domain. \n                                     I put the web server IP address here so that domain.com points to the same servers as www.domain.com","html":"

$TTL 604800 - Bind 9 (and some of the later versions of Bind 8) requires $TTL statement.\n                     Measured in seconds. This value is 7 days.\nyour-domain.com. IN SOA ns1.your-domain.com. hostmaster.your-domain.com. (\n   2000021600 ; en série - Many people use year+month+day+integer as a system.\n \n \n \n 86400 ; rafraîchir - How often secondary servers (in seconds) should check in for changes in serial number. (86400 sec = 24 hrs)\n \n \n \n 7200 ; réessayez - How long secondary server should wait for a retry if contact failed.\n \n \n \n 1209600 ; expirer - Secondary server to purge info after this length of time.\n \n \n \n 86400 ) ; default_ttl - How long data is held in cache by remote servers.\n \n \n \n IN A XXX.XXX.XXX.XXX - Note that this is the default IP address of the domain. \n                                     I put the web server IP address here so that domain.com points to the same servers as www.domain.com

"},{"id":"text-511","type":"text","heading":"","plain_text":";\n; Name servers for the domain\n;\n       IN NS ns1.your-domain.com.\n       IN NS ns2.your-domain.com.\n;\n; Mail server for domain\n;\n       IN MX 5 mail - Identify "mail" as the node handling mail for the domain. Faire NE PAS specify an IP address!","html":"

;\n; Name servers for the domain\n;\n       IN NS ns1.your-domain.com.\n       IN NS ns2.your-domain.com.\n;\n; Mail server for domain\n;\n       IN MX 5 mail - Identify "mail" as the node handling mail for the domain. Faire NE PAS specify an IP address!

"},{"id":"text-512","type":"text","heading":"","plain_text":";\n; Nodes in domain\n;\nnode1 IN A XXX.XXX.XXX.XXX - Note that this is the IP address of node1","html":"

;\n; Nodes in domain\n;\nnode1 IN A XXX.XXX.XXX.XXX - Note that this is the IP address of node1

"},{"id":"text-513","type":"text","heading":"","plain_text":"ns1 IN A XXX.XXX.XXX.XXX - Optional: For hosting your own primary name server. Note that this is the IP address of ns1","html":"

ns1 IN A XXX.XXX.XXX.XXX - Optional: For hosting your own primary name server. Note that this is the IP address of ns1

"},{"id":"text-514","type":"text","heading":"","plain_text":"ns2 IN A XXX.XXX.XXX.XXX - Optional: For hosting your own secondary name server. Note that this is the IP address of ns2","html":"

ns2 IN A XXX.XXX.XXX.XXX - Optional: For hosting your own secondary name server. Note that this is the IP address of ns2

"},{"id":"text-515","type":"text","heading":"","plain_text":"mail IN A XXX.XXX.XXX.XXX - Identify the IP address for node mail.","html":"

mail IN A XXX.XXX.XXX.XXX - Identify the IP address for node mail.

"},{"id":"text-516","type":"text","heading":"","plain_text":";\n; Aliases to existing nodes in domain\n;\nwww IN CNAME node1 - Define the webserver "www" to be node1.","html":"

;\n; Aliases to existing nodes in domain\n;\nwww IN CNAME node1 - Define the webserver "www" to be node1.

"},{"id":"text-517","type":"text","heading":"","plain_text":"ftp IN CNAME node1 - Define the ftp server to be node1.\n \nDNS record types and format:","html":"

ftp IN CNAME node1 - Define the ftp server to be node1.\n \nDNS record types and format:

"},{"id":"text-518","type":"text","heading":"","plain_text":"DNS record\nDescription and Format","html":"

DNS record\nDescription and Format

"},{"id":"text-519","type":"text","heading":"","plain_text":"SOA\nStart of Authority: Primary domain server and contact info\n Note that there is a period following the primary domain server and contact email.\n Note that the email address is in the form where the first period represents the "@" symbol of the email address.","html":"

SOA\nStart of Authority: Primary domain server and contact info\n Note that there is a period following the primary domain server and contact email.\n Note that the email address is in the form where the first period represents the "@" symbol of the email address.

"},{"id":"text-520","type":"text","heading":"","plain_text":"your-domain.com in SOA ns1.your-domain.com. webmaster.your-domain.com.","html":"

your-domain.com in SOA ns1.your-domain.com. webmaster.your-domain.com.

"},{"id":"text-521","type":"text","heading":"","plain_text":"ou","html":"

ou

"},{"id":"text-522","type":"text","heading":"","plain_text":"@ in SOA ns1.your-domain.com. webmaster.your-domain.com.","html":"

@ in SOA ns1.your-domain.com. webmaster.your-domain.com.

"},{"id":"text-523","type":"text","heading":"","plain_text":"[Potential Pitfall]: Incorrect specification of the primary name server may result in the following message in /var/log/messages:","html":"

[Potential Pitfall]: Incorrect specification of the primary name server may result in the following message in /var/log/messages:

"},{"id":"text-524","type":"text","heading":"","plain_text":"view localhost_resolver: received notify for zone 'your-domain.com': not authoritative","html":"

view localhost_resolver: received notify for zone 'your-domain.com': not authoritative

"},{"id":"text-525","type":"text","heading":"","plain_text":"SOA attribute\nLa description","html":"

SOA attribute\nLa description

"},{"id":"text-526","type":"text","heading":"","plain_text":"en série\nNever use a value greater than 2147483647 for a 32 bit processor.Increment to a higher value to indicate an update to the slave server.","html":"

en série\nNever use a value greater than 2147483647 for a 32 bit processor.Increment to a higher value to indicate an update to the slave server.

"},{"id":"text-527","type":"text","heading":"","plain_text":"rafraîchir\nTime increment (seconds) between update checks of the serial number with the primary server","html":"

rafraîchir\nTime increment (seconds) between update checks of the serial number with the primary server

"},{"id":"text-528","type":"text","heading":"","plain_text":"réessayez\nTime elapsed before a slave will contact the primary server if a connection failed","html":"

réessayez\nTime elapsed before a slave will contact the primary server if a connection failed

"},{"id":"text-529","type":"text","heading":"","plain_text":"expirer\nTime till primary server information is considered invalid and should be refreshed if there is a new DNS query","html":"

expirer\nTime till primary server information is considered invalid and should be refreshed if there is a new DNS query

"},{"id":"text-530","type":"text","heading":"","plain_text":"le minimum\nTime for DNS servers should hold domain information in their cache before purging","html":"

le minimum\nTime for DNS servers should hold domain information in their cache before purging

"},{"id":"text-531","type":"text","heading":"","plain_text":"DANS\nIndicate Internet.","html":"

DANS\nIndicate Internet.

"},{"id":"text-532","type":"text","heading":"","plain_text":"NS\nSpecify the Authoritative Name servers for the domain.","html":"

NS\nSpecify the Authoritative Name servers for the domain.

"},{"id":"text-533","type":"text","heading":"","plain_text":"UNE\nSpecify the IP address associated with the host name.Format: nom d'hôte IN A XXX.XXX.XXX.XXXNote that in my example, no hostname is specified for the first record. This will define the default for the domain.","html":"

UNE\nSpecify the IP address associated with the host name.Format: nom d'hôte IN A XXX.XXX.XXX.XXXNote that in my example, no hostname is specified for the first record. This will define the default for the domain.

"},{"id":"text-534","type":"text","heading":"","plain_text":"CNAME\nSpecify an alias for the host name.","html":"

CNAME\nSpecify an alias for the host name.

"},{"id":"text-535","type":"text","heading":"","plain_text":"MX\nMail exchange record. Specify a priority number for the primary and back-up mail servers. The lowest number indicates the default mail server for the domain","html":"

MX\nMail exchange record. Specify a priority number for the primary and back-up mail servers. The lowest number indicates the default mail server for the domain

"},{"id":"text-536","type":"text","heading":"","plain_text":"PTR\nUsed to specify the reverse DNS lookup","html":"

PTR\nUsed to specify the reverse DNS lookup

"},{"id":"text-537","type":"text","heading":"","plain_text":"MX records for 3rd party off-site mail servers:","html":"

MX records for 3rd party off-site mail servers:

"},{"id":"text-538","type":"text","heading":"","plain_text":"your-domain.com. IN MX 10 mail1.offsitemail.com.\nyour-domain.com. IN MX 20 mail2.offsitemail.com.\n \nAppend to the above example file.\n Initial configuration:\n Note that Red Hat may supply the default zone configuration in: /usr/share/doc/bind-9.X.X/sample/var/named/","html":"

your-domain.com. IN MX 10 mail1.offsitemail.com.\nyour-domain.com. IN MX 20 mail2.offsitemail.com.\n \nAppend to the above example file.\n Initial configuration:\n Note that Red Hat may supply the default zone configuration in: /usr/share/doc/bind-9.X.X/sample/var/named/

"},{"id":"text-539","type":"text","heading":"","plain_text":"cp /usr/share/doc/bind-9.X.X/sample/var/named/localhost.zone /var/named/chroot/var/named/data/\ncp /usr/share/doc/bind-9.X.X/sample/var/named/localdomain.zone /var/named/chroot/var/named/data/\ncp /usr/share/doc/bind-9.X.X/sample/var/named/named.broadcast /var/named/chroot/var/named/data/\ncp /usr/share/doc/bind-9.X.X/sample/var/named/named.ip6.local /var/named/chroot/var/named/data/\ncp /usr/share/doc/bind-9.X.X/sample/var/named/named.zero /var/named/chroot/var/named/data/\ncp /usr/share/doc/bind-9.X.X/sample/var/named/named.local /var/named/chroot/var/named/data/\ncp /usr/share/doc/bind-9.X.X/sample/var/named/named.root /var/named/chroot/var/named/data/\ncd /var/named/chroot/var/named/data/\nchcon -u system_u -r object_r -t named_cache_t localhost.zone localdomain.zone named.broadcast named.ip6.local named.zero named.root named.local","html":"

cp /usr/share/doc/bind-9.X.X/sample/var/named/localhost.zone /var/named/chroot/var/named/data/\ncp /usr/share/doc/bind-9.X.X/sample/var/named/localdomain.zone /var/named/chroot/var/named/data/\ncp /usr/share/doc/bind-9.X.X/sample/var/named/named.broadcast /var/named/chroot/var/named/data/\ncp /usr/share/doc/bind-9.X.X/sample/var/named/named.ip6.local /var/named/chroot/var/named/data/\ncp /usr/share/doc/bind-9.X.X/sample/var/named/named.zero /var/named/chroot/var/named/data/\ncp /usr/share/doc/bind-9.X.X/sample/var/named/named.local /var/named/chroot/var/named/data/\ncp /usr/share/doc/bind-9.X.X/sample/var/named/named.root /var/named/chroot/var/named/data/\ncd /var/named/chroot/var/named/data/\nchcon -u system_u -r object_r -t named_cache_t localhost.zone localdomain.zone named.broadcast named.ip6.local named.zero named.root named.local

"},{"id":"text-540","type":"text","heading":"","plain_text":"A file suffix of "zone" is also common i.e. your-domain.com.zone\nSecondary server (slave):\n File: named.conf\nRed Hat / Fedora Core / CentOS: /etc/named.conf\n Ubuntu / Debian: /etc/bind/named.conf\n Simple example with no views:","html":"

A file suffix of "zone" is also common i.e. your-domain.com.zone\nSecondary server (slave):\n File: named.conf\nRed Hat / Fedora Core / CentOS: /etc/named.conf\n Ubuntu / Debian: /etc/bind/named.conf\n Simple example with no views:

"},{"id":"text-541","type":"text","heading":"","plain_text":"options - Ubuntu stores options in /etc/bind/named.conf.options\n \n \n \n version "Bind"; - Don't disclose real version to hackers\n \n \n \n directory "/var/named";\n allow-transfer none; ; - Slave is not transfering updates to anyone else\n \n \n \n recursion no;\n        auth-nxdomain no; - conform to RFC1035. (default)\n fetch-glue no; - Bind 8 only! Not used by version 9","html":"

options - Ubuntu stores options in /etc/bind/named.conf.options\n \n \n \n version "Bind"; - Don't disclose real version to hackers\n \n \n \n directory "/var/named";\n allow-transfer none; ; - Slave is not transfering updates to anyone else\n \n \n \n recursion no;\n        auth-nxdomain no; - conform to RFC1035. (default)\n fetch-glue no; - Bind 8 only! Not used by version 9

"},{"id":"text-542","type":"text","heading":"","plain_text":";\nzone "localhost" \n        type master;\n        file "/etc/bind/db.local"; - Ubutu: /etc/bind/db.local, Red Hat: /var/named/named.local","html":"

;\nzone "localhost" \n        type master;\n        file "/etc/bind/db.local"; - Ubutu: /etc/bind/db.local, Red Hat: /var/named/named.local

"},{"id":"text-543","type":"text","heading":"","plain_text":";\nzone "0.0.127.in-addr.arpa" \n        type master;\n        file "/etc/bind/db.127";\n;","html":"

;\nzone "0.0.127.in-addr.arpa" \n        type master;\n        file "/etc/bind/db.127";\n;

"},{"id":"text-544","type":"text","heading":"","plain_text":"zone "your-domain.com"\n        type slave; \n        file "named.your-domain.com"; - Specify slaves/named.your-domain.com for RHEL chrooted bind\n masters XXX.XXX.XXX.XXX; ; - IP address of primary DNS","html":"

zone "your-domain.com"\n        type slave; \n        file "named.your-domain.com"; - Specify slaves/named.your-domain.com for RHEL chrooted bind\n masters XXX.XXX.XXX.XXX; ; - IP address of primary DNS

"},{"id":"text-545","type":"text","heading":"","plain_text":";\nzone "your-domain-2.com"\n        type slave; \n        file "named.your-domain-2.com";\n        masters XXX.XXX.XXX.XXX; ;\n;\n \n view "external": (slave)","html":"

;\nzone "your-domain-2.com"\n        type slave; \n        file "named.your-domain-2.com";\n        masters XXX.XXX.XXX.XXX; ;\n;\n \n view "external": (slave)

"},{"id":"text-546","type":"text","heading":"","plain_text":"view "external"","html":"

view "external"

"},{"id":"text-547","type":"text","heading":"","plain_text":"        match-clients any; ;\n        match-destinations any; ;\n        allow-transfer aucun; ; - Slave does not transfer to anyone, slave receives\n \n \n \n recursion no;\n        include "/etc/named.root.hints";","html":"

        match-clients any; ;\n        match-destinations any; ;\n        allow-transfer aucun; ; - Slave does not transfer to anyone, slave receives\n \n \n \n recursion no;\n        include "/etc/named.root.hints";

"},{"id":"text-548","type":"text","heading":"","plain_text":"        zone "your-domain.com" \n                type slave;\n                file "/var/named/slaves/external/named.your-domain.com";\n                notify no; - Slave does not notify, slave is notified by master\n \n \n \n masters XXX.XXX.XXX.XXX; ; - State IP of master server\n \n \n \n ;\n;","html":"

        zone "your-domain.com" \n                type slave;\n                file "/var/named/slaves/external/named.your-domain.com";\n                notify no; - Slave does not notify, slave is notified by master\n \n \n \n masters XXX.XXX.XXX.XXX; ; - State IP of master server\n \n \n \n ;\n;

"},{"id":"text-549","type":"text","heading":"","plain_text":"Note: RHEL, CentOS, Fedora use chrooted directory structure\npermissions which require the use of the slaves sub-directory /var/named/slaves\n Slave Zone Files: These are transfered from master to slave and cached by slave. There is no need to generate a zone file on the slave.\n Information additionnelle:","html":"

Note: RHEL, CentOS, Fedora use chrooted directory structure\npermissions which require the use of the slaves sub-directory /var/named/slaves\n Slave Zone Files: These are transfered from master to slave and cached by slave. There is no need to generate a zone file on the slave.\n Information additionnelle:

"},{"id":"text-550","type":"text","heading":"","plain_text":"[Potential Pitfall]: Ubuntu dapper/hardy/natty – Path names used can not violate Apparmor security rules as defined in /etc/apparmor.d/usr.sbin.named. Note that the slave files are typically named "/var/lib/bind/named.your-domain.com" as permitted by the security configuration.","html":"

[Potential Pitfall]: Ubuntu dapper/hardy/natty – Path names used can not violate Apparmor security rules as defined in /etc/apparmor.d/usr.sbin.named. Note that the slave files are typically named "/var/lib/bind/named.your-domain.com" as permitted by the security configuration.

"},{"id":"text-551","type":"text","heading":"","plain_text":"[Potential Pitfall]: Ubuntu dapper/hardy/natty – Create log file and set ownership and permission for file not created by installation:","html":"

[Potential Pitfall]: Ubuntu dapper/hardy/natty – Create log file and set ownership and permission for file not created by installation:

"},{"id":"text-552","type":"text","heading":"","plain_text":"touch /var/log/bindlog\n \nchown root.bind /var/log/bindlog\n \nchmod 664 /var/log/bindlog","html":"

touch /var/log/bindlog\n \nchown root.bind /var/log/bindlog\n \nchmod 664 /var/log/bindlog

"},{"id":"text-553","type":"text","heading":"","plain_text":"[Potential Pitfall]: Error in /var/log/messages:","html":"

[Potential Pitfall]: Error in /var/log/messages:

"},{"id":"text-554","type":"text","heading":"","plain_text":"transfer of 'yolinux.com/IN' from XXX.XXX.XXX.XXX#53: failed while receiving responses: permission denied\n \nNamed needs write permission on the directory containing the file. Ce\ncondition often occurs for a new "slave" or "secondary" name server\nwhere the zone files\ndo not yet exist. The default (RHEL, CentOS, Fedora, …):","html":"

transfer of 'yolinux.com/IN' from XXX.XXX.XXX.XXX#53: failed while receiving responses: permission denied\n \nNamed needs write permission on the directory containing the file. Ce\ncondition often occurs for a new "slave" or "secondary" name server\nwhere the zone files\ndo not yet exist. The default (RHEL, CentOS, Fedora, …):

"},{"id":"text-555","type":"text","heading":"","plain_text":"drwxr-x--- 4 root named 4096 Aug 25 2004 named\n \ndrwxrwx--- 2 named named 4096 Sep 17 20:37 slaves","html":"

drwxr-x--- 4 root named 4096 Aug 25 2004 named\n \ndrwxrwx--- 2 named named 4096 Sep 17 20:37 slaves

"},{"id":"text-556","type":"text","heading":"","plain_text":"Fix: In named.conf specify that the slaves to go to slaves directory /var/named/chroot/var/named/slaves with the directive:\nfile "slaves/named.your-domain.com";\nBind Defaults:\n \nAfter the configuration files have been edited, restart the name daemon.","html":"

Fix: In named.conf specify that the slaves to go to slaves directory /var/named/chroot/var/named/slaves with the directive:\nfile "slaves/named.your-domain.com";\nBind Defaults:\n \nAfter the configuration files have been edited, restart the name daemon.

"},{"id":"text-557","type":"text","heading":"","plain_text":"/etc/init.d/named restart\n \n(Note: Ubuntu / Debian restart: /etc/init.d/bind9 restart)","html":"

/etc/init.d/named restart\n \n(Note: Ubuntu / Debian restart: /etc/init.d/bind9 restart)

"},{"id":"text-558","type":"text","heading":"","plain_text":"Bind zone transfers work best if the clocks of the two systems are synchronised.\nSee the YoLinux SysAdmin Tutorial: Time and ntpd","html":"

Bind zone transfers work best if the clocks of the two systems are synchronised.\nSee the YoLinux SysAdmin Tutorial: Time and ntpd

"},{"id":"text-559","type":"text","heading":"","plain_text":"File: /var/named/named.your-domain.com\nThis is created for you by Bind on the slave (secondary) server when it replicates from Primary server.","html":"

File: /var/named/named.your-domain.com\nThis is created for you by Bind on the slave (secondary) server when it replicates from Primary server.

"},{"id":"text-560","type":"text","heading":"","plain_text":"DNS GUI configuration:","html":"

DNS GUI configuration:

"},{"id":"text-561","type":"text","heading":"","plain_text":"Red Hat EL 4/5, Fedora 2-10: /usr/bin/system-config-bind\n \nRed Hat 8/9, Fedora Core 1: /usr/bin/redhat-config-bind","html":"

Red Hat EL 4/5, Fedora 2-10: /usr/bin/system-config-bind\n \nRed Hat 8/9, Fedora Core 1: /usr/bin/redhat-config-bind

"},{"id":"text-562","type":"text","heading":"","plain_text":"Test DNS:\nMust install packages:","html":"

Test DNS:\nMust install packages:

"},{"id":"text-563","type":"text","heading":"","plain_text":"Red Hat / Fedora Core / SuSE: bind-utils\n \nUbuntu (dapper/hardy/natty) / Debian: bind9-host","html":"

Red Hat / Fedora Core / SuSE: bind-utils\n \nUbuntu (dapper/hardy/natty) / Debian: bind9-host

"},{"id":"text-564","type":"text","heading":"","plain_text":"Test the name server with the\n          hôte\ncommand in interactive mode: \n hôte node.domain-to-test.com your-nameserver-to-test.domain.com\n \nNote: The name server may also be specified by IP address.\n \nou\n \nTest the name server with the\n          nslookup\ncommand in interactive mode:\n \n nslookup> server your-nameserver-to-test.domain.com\n \n \n \n > node.domain-to-test.com\n > exit\n \nTest the MX record if appropriate:\n \n nslookup -querytype=mx domain-to-test.com\n \n OU","html":"

Test the name server with the\n          hôte\ncommand in interactive mode: \n hôte node.domain-to-test.com your-nameserver-to-test.domain.com\n \nNote: The name server may also be specified by IP address.\n \nou\n \nTest the name server with the\n          nslookup\ncommand in interactive mode:\n \n nslookup> server your-nameserver-to-test.domain.com\n \n \n \n > node.domain-to-test.com\n > exit\n \nTest the MX record if appropriate:\n \n nslookup -querytype=mx domain-to-test.com\n \n OU

"},{"id":"text-565","type":"text","heading":"","plain_text":"host -t mx domain-to-test.com\n \nTest using the dig command:\n \n dig @name-server domain-to-query","html":"

host -t mx domain-to-test.com\n \nTest using the dig command:\n \n dig @name-server domain-to-query

"},{"id":"text-566","type":"text","heading":"","plain_text":"OU","html":"

OU

"},{"id":"text-567","type":"text","heading":"","plain_text":"dig @IP-address-of-name-server domain-to-query\n \nTest your DNS with the following DNS diagnostics web site: DnsStuff.com","html":"

dig @IP-address-of-name-server domain-to-query\n \nTest your DNS with the following DNS diagnostics web site: DnsStuff.com

"},{"id":"text-568","type":"text","heading":"","plain_text":"Extra logging to monitor Bind:\nAdd the following to your /etc/named.conf file.","html":"

Extra logging to monitor Bind:\nAdd the following to your /etc/named.conf file.

"},{"id":"text-569","type":"text","heading":"","plain_text":"logging \n        channel bindlog \n // Keep five old versions of the log-file (rotates logs)\n \n \n \n file "/var/log/bindlog" versions 5 size 1m;\n                           print-time yes;\n                           print-category yes;\n                           print-severity yes;\n                        ;\n/* If you want to enable debugging, eg. using the 'rndc trace' command,\n * named will try to write the 'named.run' file in the $directory (/var/named).\n * By default, SELinux policy does not allow named to modify the /var/named directory,\n * so put the default debug log file in data/ :\n * /\n        channel default_debug \n                file "data/named.run";\n                severity dynamic;\n        ;\n        category xfer-out bindlog; ; - Zone transfers\n \n \n \n category xfer-in bindlog; ; - Zone transfers\n \n \n \n category security bindlog; ; - Approved/unapproved requests","html":"

logging \n        channel bindlog \n // Keep five old versions of the log-file (rotates logs)\n \n \n \n file "/var/log/bindlog" versions 5 size 1m;\n                           print-time yes;\n                           print-category yes;\n                           print-severity yes;\n                        ;\n/* If you want to enable debugging, eg. using the 'rndc trace' command,\n * named will try to write the 'named.run' file in the $directory (/var/named).\n * By default, SELinux policy does not allow named to modify the /var/named directory,\n * so put the default debug log file in data/ :\n * /\n        channel default_debug \n                file "data/named.run";\n                severity dynamic;\n        ;\n        category xfer-out bindlog; ; - Zone transfers\n \n \n \n category xfer-in bindlog; ; - Zone transfers\n \n \n \n category security bindlog; ; - Approved/unapproved requests

"},{"id":"text-570","type":"text","heading":"","plain_text":"// The following logging statements, panic, insist and response-checks are \n// valid for Bind 8 only. Do not user for version 9.\n category panic bindlog; ; - System shutdowns\n \n \n \n category insist bindlog; ; - Internal consistency check failures\n \n \n \n category response-checks bindlog; ; - Messages","html":"

// The following logging statements, panic, insist and response-checks are \n// valid for Bind 8 only. Do not user for version 9.\n category panic bindlog; ; - System shutdowns\n \n \n \n category insist bindlog; ; - Internal consistency check failures\n \n \n \n category response-checks bindlog; ; - Messages

"},{"id":"text-571","type":"text","heading":"","plain_text":";","html":"

;

"},{"id":"text-572","type":"text","heading":"","plain_text":"Chroot Bind for extra security:\nNote: Most modern Linux distributions default to a "chrooted" installation.\nThis technique runs the Bind name service with a view of the filesystem\nwhich changes the definition of the root directory "/" to a directory\nin which Bind will operate. c'est à dire. /var/named/chroot.","html":"

Chroot Bind for extra security:\nNote: Most modern Linux distributions default to a "chrooted" installation.\nThis technique runs the Bind name service with a view of the filesystem\nwhich changes the definition of the root directory "/" to a directory\nin which Bind will operate. c'est à dire. /var/named/chroot.

"},{"id":"text-573","type":"text","heading":"","plain_text":"The following example uses the Red Hat RPM bind-8.2.3-0.6.x.i386.rpm. Applies to Bind version 9 as well.\n \nThe latest RedHat bind updates run the named as user "named" to avoid a lot of\nearlier hacker exploits. To chroot the process is to create an even more\nsecure environment by limiting the view of the system that the process\ncan access. The process is limited to the chrooted directory assigned.\n \nThe chroot of the named process to a directory under a given user will\nprevent the possibility of an exploit which at one time would result in\nroot access.\nThe original default RedHat configuration (6.2) ran the named process as root,\nthus if an exploit was found, the named process will allow the hacker to use\nthe privileges of the root user. (no longer true)\n \nNamed Command Sytax:\n \n named -u utilisateur -g groupe -t directory-to-chroot-to\n \nExemple:\n named -u named -g named -t /opt/named\nWhen chrooted, the process does not have access to system\nlibraries thus a\nlocal lib directory is required with the appropriate library files –\ntheoretically. This does not seem to be the case here and as noted\nabove in chrooted FTP.\nIt's a mystery to me but it works????\nAnother method to handle libraries is to re-compile the named binary\nwith everything statically linked. Ajouter -static to the compile options.\nThe chrooted process should also require a local /etc/named.conf etc… but doesn't seem to???\n \nScript to create a chrooted bind environment:","html":"

The following example uses the Red Hat RPM bind-8.2.3-0.6.x.i386.rpm. Applies to Bind version 9 as well.\n \nThe latest RedHat bind updates run the named as user "named" to avoid a lot of\nearlier hacker exploits. To chroot the process is to create an even more\nsecure environment by limiting the view of the system that the process\ncan access. The process is limited to the chrooted directory assigned.\n \nThe chroot of the named process to a directory under a given user will\nprevent the possibility of an exploit which at one time would result in\nroot access.\nThe original default RedHat configuration (6.2) ran the named process as root,\nthus if an exploit was found, the named process will allow the hacker to use\nthe privileges of the root user. (no longer true)\n \nNamed Command Sytax:\n \n named -u utilisateur -g groupe -t directory-to-chroot-to\n \nExemple:\n named -u named -g named -t /opt/named\nWhen chrooted, the process does not have access to system\nlibraries thus a\nlocal lib directory is required with the appropriate library files –\ntheoretically. This does not seem to be the case here and as noted\nabove in chrooted FTP.\nIt's a mystery to me but it works????\nAnother method to handle libraries is to re-compile the named binary\nwith everything statically linked. Ajouter -static to the compile options.\nThe chrooted process should also require a local /etc/named.conf etc… but doesn't seem to???\n \nScript to create a chrooted bind environment:

"},{"id":"text-574","type":"text","heading":"","plain_text":"#!/bin/sh\ncd /opt\nmkdir named\ncd named\nmkdir etc\nmkdir bin\nmkdir var\ncd var\nmkdir named\nmkdir run\ncd ..\nchown -R named.named bin etc var","html":"

#!/bin/sh\ncd /opt\nmkdir named\ncd named\nmkdir etc\nmkdir bin\nmkdir var\ncd var\nmkdir named\nmkdir run\ncd ..\nchown -R named.named bin etc var

"},{"id":"text-575","type":"text","heading":"","plain_text":"You can probably stop here. If your system acts like a chrooted system should,\nthen continue with the following:","html":"

You can probably stop here. If your system acts like a chrooted system should,\nthen continue with the following:

"},{"id":"text-576","type":"text","heading":"","plain_text":"cp -p /etc/named.conf etc\ncp -p /etc/localtime etc\ncp -p /bin/false bin\necho "named:x:25:25:Named:/var/named:/bin/false" > etc/passwd\necho "named:x:25:" > etc/group\ntouch var/run/named.pid","html":"

cp -p /etc/named.conf etc\ncp -p /etc/localtime etc\ncp -p /bin/false bin\necho "named:x:25:25:Named:/var/named:/bin/false" > etc/passwd\necho "named:x:25:" > etc/group\ntouch var/run/named.pid

"},{"id":"text-577","type":"text","heading":"","plain_text":"si [ -f /etc/namedb ]\npuis\n   cp -p /etc/namedb etc/namedb\nFi","html":"

si [ -f /etc/namedb ]\npuis\n   cp -p /etc/namedb etc/namedb\nFi

"},{"id":"text-578","type":"text","heading":"","plain_text":"mkdir dev\ncd dev","html":"

mkdir dev\ncd dev

"},{"id":"text-579","type":"text","heading":"","plain_text":"# Create a character unbuffered file.\nmknod -m ugo+rw null c 1 3","html":"

# Create a character unbuffered file.\nmknod -m ugo+rw null c 1 3

"},{"id":"text-580","type":"text","heading":"","plain_text":"cd ..\nchown -R named.named bin etc var","html":"

cd ..\nchown -R named.named bin etc var

"},{"id":"text-581","type":"text","heading":"","plain_text":"Add changes to the init script: /etc/rc.d/init.d/named","html":"

Add changes to the init script: /etc/rc.d/init.d/named

"},{"id":"text-582","type":"text","heading":"","plain_text":"#!/bin/bash\n#\n# named This shell script takes care of starting and stopping\n# named (BIND DNS server).\n#\n# chkconfig: - 55 45\n# description: named (BIND) is a Domain Name Server (DNS) \n# that is used to resolve host names to IP addresses.\n# probe: true","html":"

#!/bin/bash\n#\n# named This shell script takes care of starting and stopping\n# named (BIND DNS server).\n#\n# chkconfig: - 55 45\n# description: named (BIND) is a Domain Name Server (DNS) \n# that is used to resolve host names to IP addresses.\n# probe: true

"},{"id":"text-583","type":"text","heading":"","plain_text":"# Source function library.\n. /etc/rc.d/init.d/functions","html":"

# Source function library.\n. /etc/rc.d/init.d/functions

"},{"id":"text-584","type":"text","heading":"","plain_text":"# Source networking configuration.\n. /etc/sysconfig/network","html":"

# Source networking configuration.\n. /etc/sysconfig/network

"},{"id":"text-585","type":"text","heading":"","plain_text":"# Check that networking is up.\n[ $NETWORKING = \"no\" ] && exit 0","html":"

# Check that networking is up.\n[ $NETWORKING = "no" ] && exit 0

"},{"id":"text-586","type":"text","heading":"","plain_text":"[ -f /etc/sysconfig/named ] && . /etc/sysconfig/named","html":"

[ -f /etc/sysconfig/named ] && . /etc/sysconfig/named

"},{"id":"text-587","type":"text","heading":"","plain_text":"[ -f /usr/sbin/named ] || exit 0","html":"

[ -f /usr/sbin/named ] || exit 0

"},{"id":"text-588","type":"text","heading":"","plain_text":"[ -f /etc/named.conf ] || exit 0","html":"

[ -f /etc/named.conf ] || exit 0

"},{"id":"text-589","type":"text","heading":"","plain_text":"RETVAL=0","html":"

RETVAL=0

"},{"id":"text-590","type":"text","heading":"","plain_text":"start() \n        # Start daemons.\n        echo -n "Starting named: "\n        daemon named -u named -g named -t /opt/named # Change made here\n\tRETVAL=$?\n \t[ $RETVAL -eq 0 ] && touch /var/lock/subsys/named\nécho\n\treturn $RETVAL","html":"

start() \n        # Start daemons.\n        echo -n "Starting named: "\n        daemon named -u named -g named -t /opt/named # Change made here\n\tRETVAL=$?\n \t[ $RETVAL -eq 0 ] && touch /var/lock/subsys/named\nécho\n\treturn $RETVAL

"},{"id":"text-591","type":"text","heading":"","plain_text":"stop() \n        # Stop daemons.\n        echo -n "Shutting down named: "\n        killproc named\n\tRETVAL=$?\n\t[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/named\n        écho\n\treturn $RETVAL","html":"

stop() \n        # Stop daemons.\n        echo -n "Shutting down named: "\n        killproc named\n\tRETVAL=$?\n\t[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/named\n        écho\n\treturn $RETVAL

"},{"id":"text-592","type":"text","heading":"","plain_text":"rhstatus() \n\t/usr/sbin/ndc status\n\treturn $?","html":"

rhstatus() \n\t/usr/sbin/ndc status\n\treturn $?

"},{"id":"text-593","type":"text","heading":"","plain_text":"restart() \nArrêtez\ndébut","html":"

restart() \nArrêtez\ndébut

"},{"id":"text-594","type":"text","heading":"","plain_text":"reload() \n\t/usr/sbin/ndc reload\n\treturn $?","html":"

reload() \n\t/usr/sbin/ndc reload\n\treturn $?

"},{"id":"text-595","type":"text","heading":"","plain_text":"probe() echo start\n\treturn $?","html":"

probe() echo start\n\treturn $?

"},{"id":"text-596","type":"text","heading":"","plain_text":"# See how we were called.\ncase "$1" in\n\tstart)\ndébut\n\t\t;;\n\tstop)\nArrêtez\n\t\t;;\n\tstatus)\n\t\trhstatus\n\t\t;;\n\trestart)\nredémarrer\n\t\t;;\n\tcondrestart)\n\t\t[ -f /var/lock/subsys/named ] && restart || :\n\t\t;;\n\treload)\nrecharger\n\t\t;;\n\tprobe)\nsonde\n\t\t;;\n\t*)\n        \techo "Usage: named condrestart"\nsortie 1\nesac","html":"

# See how we were called.\ncase "$1" in\n\tstart)\ndébut\n\t\t;;\n\tstop)\nArrêtez\n\t\t;;\n\tstatus)\n\t\trhstatus\n\t\t;;\n\trestart)\nredémarrer\n\t\t;;\n\tcondrestart)\n\t\t[ -f /var/lock/subsys/named ] && restart || :\n\t\t;;\n\treload)\nrecharger\n\t\t;;\n\tprobe)\nsonde\n\t\t;;\n\t*)\n        \techo "Usage: named condrestart"\nsortie 1\nesac

"},{"id":"text-597","type":"text","heading":"","plain_text":"exit $?","html":"

exit $?

"},{"id":"text-598","type":"text","heading":"","plain_text":"Note: The current version of bind from the RedHat errata updates and security\nfixes (http://www.redhat.com/support/errata/)\nruns the named process as user "named" in the home (not chrooted) directory\n /var/named with no shell available. (named -u named)\nThis should be secure enough.\nProceed with a chrooted installation if your are paranoid.\n \nVoir:","html":"

Note: The current version of bind from the RedHat errata updates and security\nfixes (http://www.redhat.com/support/errata/)\nruns the named process as user "named" in the home (not chrooted) directory\n /var/named with no shell available. (named -u named)\nThis should be secure enough.\nProceed with a chrooted installation if your are paranoid.\n \nVoir:

"},{"id":"text-599","type":"text","heading":"","plain_text":"Chrooted DNS configuration:\n \nModern releases of Linux (i.e. Fedore Core 3, Red Hat Enterprise Linux 4)\ncome pre-configured to use "chrooted" bind. This security feature forces\neven an exploited version of bind to only operate within the "chrooted" jail\n /var/named/chroot\nwhich contains the familiar directories:","html":"

Chrooted DNS configuration:\n \nModern releases of Linux (i.e. Fedore Core 3, Red Hat Enterprise Linux 4)\ncome pre-configured to use "chrooted" bind. This security feature forces\neven an exploited version of bind to only operate within the "chrooted" jail\n /var/named/chroot\nwhich contains the familiar directories:

"},{"id":"text-600","type":"text","heading":"","plain_text":"/var/named/chroot/etc: Configuration files\n \n/var/named/chroot/dev: devices used by bind:","html":"

/var/named/chroot/etc: Configuration files\n \n/var/named/chroot/dev: devices used by bind:

"},{"id":"text-601","type":"text","heading":"","plain_text":"/dev/null\n \n /dev/random\n \n /dev/zero","html":"

/dev/null\n \n /dev/random\n \n /dev/zero

"},{"id":"text-602","type":"text","heading":"","plain_text":"(Real devices created with the mknod command.)\n \n/var/named/chroot/var: Zone files and configuration information.","html":"

(Real devices created with the mknod command.)\n \n/var/named/chroot/var: Zone files and configuration information.

"},{"id":"text-603","type":"text","heading":"","plain_text":"These directories are generated and configured by the Red Hat/Fedora RPM package "bind-chroot".","html":"

These directories are generated and configured by the Red Hat/Fedora RPM package "bind-chroot".

"},{"id":"text-604","type":"text","heading":"","plain_text":"If building from source you will have to generate this configuration manually:","html":"

If building from source you will have to generate this configuration manually:

"},{"id":"text-605","type":"text","heading":"","plain_text":"mkdir -p /var/named/chroot\n \nmkdir /var/named/chroot/dev\n \nmknod /var/named/chroot/dev/null c 1 3\n \nmknod /var/named/chroot/dev/zero c 1 5\n \nmknod /var/named/chroot/dev/random c 1 8\n \nchmod 666 -R /var/named/chroot/dev\n \nmkdir -p /var/named/chroot/etc\n \nln -s /var/named/chroot/etc/named.conf /etc/named.conf","html":"

mkdir -p /var/named/chroot\n \nmkdir /var/named/chroot/dev\n \nmknod /var/named/chroot/dev/null c 1 3\n \nmknod /var/named/chroot/dev/zero c 1 5\n \nmknod /var/named/chroot/dev/random c 1 8\n \nchmod 666 -R /var/named/chroot/dev\n \nmkdir -p /var/named/chroot/etc\n \nln -s /var/named/chroot/etc/named.conf /etc/named.conf

"},{"id":"text-606","type":"text","heading":"","plain_text":"mkdir -p /var/named/chroot/var/named\n \nln -s /var/named/chroot/var/named/named.XXXX /var/named/named.XXXX \n \nln -s /var/named/chroot/var/named/named.YYYY /var/named/named.YYYY \n \n…\n \nmkdir -p /var/named/chroot/var/named/slaves\n \nmkdir -p /var/named/chroot/var/named/data\n \nmkdir -p /var/named/chroot/var/run\n \nmkdir -p /var/named/chroot/var/tmp","html":"

mkdir -p /var/named/chroot/var/named\n \nln -s /var/named/chroot/var/named/named.XXXX /var/named/named.XXXX \n \nln -s /var/named/chroot/var/named/named.YYYY /var/named/named.YYYY \n \n…\n \nmkdir -p /var/named/chroot/var/named/slaves\n \nmkdir -p /var/named/chroot/var/named/data\n \nmkdir -p /var/named/chroot/var/run\n \nmkdir -p /var/named/chroot/var/tmp

"},{"id":"text-607","type":"text","heading":"","plain_text":"chown -R named:named /var/named/chroot\n \nchown -R root:named /var/named/chroot/var/named","html":"

chown -R named:named /var/named/chroot\n \nchown -R root:named /var/named/chroot/var/named

"},{"id":"text-608","type":"text","heading":"","plain_text":"Load Balancing of servers using Bind: DNS Round-Robin\nThis will populate DNS caching name servers around the world with different IP addresses for your web server www.your-domain.com\nFichier: /var/named/data/named.your-domain.com","html":"

Load Balancing of servers using Bind: DNS Round-Robin\nThis will populate DNS caching name servers around the world with different IP addresses for your web server www.your-domain.com\nFichier: /var/named/data/named.your-domain.com

"},{"id":"text-609","type":"text","heading":"","plain_text":"$TTL 604800\nyour-domain.com. IN SOA ns1.your-domain.com. hostmaster.your-domain.com.","html":"

$TTL 604800\nyour-domain.com. IN SOA ns1.your-domain.com. hostmaster.your-domain.com.

"},{"id":"text-610","type":"text","heading":"","plain_text":"...\n...","html":"

...\n...

"},{"id":"text-611","type":"text","heading":"","plain_text":"www IN A 192.168.1.1","html":"

www IN A 192.168.1.1

"},{"id":"text-612","type":"text","heading":"","plain_text":"www IN A 192.168.1.2","html":"

www IN A 192.168.1.2

"},{"id":"text-613","type":"text","heading":"","plain_text":"www IN A 192.168.1.3","html":"

www IN A 192.168.1.3

"},{"id":"text-614","type":"text","heading":"","plain_text":"www IN A 192.168.1.4","html":"

www IN A 192.168.1.4

"},{"id":"text-615","type":"text","heading":"","plain_text":"www IN A 192.168.1.5","html":"

www IN A 192.168.1.5

"},{"id":"text-616","type":"text","heading":"","plain_text":"www IN A 192.168.1.6","html":"

www IN A 192.168.1.6

"},{"id":"text-617","type":"text","heading":"","plain_text":"Remarque:","html":"

Remarque:

"},{"id":"text-618","type":"text","heading":"","plain_text":"This example will resolve the www.your-domain.com URL to each of the IP addresses listed, one at a time for each request.\n              First request will resolve to 192.168.1.1, the second request will resolve to 192.168.1.2, etc.\n \nA perfectly even load balance is not possible becaused network service providers run DNS caching servers which hold the resolved IP address for a different number of users.\n \nUsing multiple CNAME's to rotate records is no longer permissible in bind9.\n \nListing a record multiple times with the same IP address will not change the load sharing. Bind will ignore duplicate records.\n \nReducing the time to live (TTL) will cause load sharing to take place more frequently thus responding to a change in servers more quickly.","html":"

This example will resolve the www.your-domain.com URL to each of the IP addresses listed, one at a time for each request.\n              First request will resolve to 192.168.1.1, the second request will resolve to 192.168.1.2, etc.\n \nA perfectly even load balance is not possible becaused network service providers run DNS caching servers which hold the resolved IP address for a different number of users.\n \nUsing multiple CNAME's to rotate records is no longer permissible in bind9.\n \nListing a record multiple times with the same IP address will not change the load sharing. Bind will ignore duplicate records.\n \nReducing the time to live (TTL) will cause load sharing to take place more frequently thus responding to a change in servers more quickly.

"},{"id":"text-619","type":"text","heading":"","plain_text":"Also see lbnamed: lbnamed load balancing named","html":"

Also see lbnamed: lbnamed load balancing named

"},{"id":"text-620","type":"text","heading":"","plain_text":"Bind/DNS Links:\nDomain name registration:","html":"

Bind/DNS Links:\nDomain name registration:

"},{"id":"text-621","type":"text","heading":"","plain_text":"Domain Name Registrars:\n \nAfterNic.com – Domain name exchange and auction.\n \nBuyDomains.com – Buy a domain name that a squatter is holding.","html":"

Domain Name Registrars:\n \nAfterNic.com – Domain name exchange and auction.\n \nBuyDomains.com – Buy a domain name that a squatter is holding.

"},{"id":"text-622","type":"text","heading":"","plain_text":"Note that the Name registrations policies for the registrars are stated at ICANN.org.","html":"

Note that the Name registrations policies for the registrars are stated at ICANN.org.

"},{"id":"text-623","type":"text","heading":"","plain_text":"You must renew with the same registrar within five days BEFORE the expiration date. There is no rule for afterwards.\n \nMost free a domain name 30 days after it expires.","html":"

You must renew with the same registrar within five days BEFORE the expiration date. There is no rule for afterwards.\n \nMost free a domain name 30 days after it expires.

"},{"id":"text-624","type":"text","heading":"","plain_text":"Web Server Load Balancing:","html":"

Web Server Load Balancing:

"},{"id":"text-625","type":"text","heading":"","plain_text":"Load balancing becomes important if your traffic volume becomes too great for either your server or network connection or both.\n      Multiple options are available for load balancing.","html":"

Load balancing becomes important if your traffic volume becomes too great for either your server or network connection or both.\n      Multiple options are available for load balancing.

"},{"id":"text-626","type":"text","heading":"","plain_text":"DNS round-robin: Discussed above, this uses DNS to point users to random server in a list of appropriate servers. This spreads the load among the servers in the list.\nUse a Linux Virtual Server to Create a Load Balance Cluster. See next section below.\nRun a reverse proxy. See nginx ("engine X").\n          From a single external internet network connection, route http, smtp, imap or pop3 traffic to various servers on an internal network. Results are pushed back to the nginx proxy for routing to the internet (no caching).\nRun the Apache httpd web server module "mod_proxy" to offload processing of dynamic content to another web server. This acts as a reverse proxy, routing external traffic to various servers on an internal network.","html":"

DNS round-robin: Discussed above, this uses DNS to point users to random server in a list of appropriate servers. This spreads the load among the servers in the list.\nUse a Linux Virtual Server to Create a Load Balance Cluster. See next section below.\nRun a reverse proxy. See nginx ("engine X").\n          From a single external internet network connection, route http, smtp, imap or pop3 traffic to various servers on an internal network. Results are pushed back to the nginx proxy for routing to the internet (no caching).\nRun the Apache httpd web server module "mod_proxy" to offload processing of dynamic content to another web server. This acts as a reverse proxy, routing external traffic to various servers on an internal network.

"},{"id":"text-627","type":"text","heading":"","plain_text":"Using a Linux Virtual Server to Create a Load Balance Cluster:","html":"

Using a Linux Virtual Server to Create a Load Balance Cluster:

"},{"id":"text-628","type":"text","heading":"","plain_text":"You can use a single Linux server to forward requests to a cluster of servers\nusing iptables for IP masquerading and IPVsadm to scale your load.\nThe load balancing server receiving and routing the requests is called the "Linux Virtual Server" (LVS).\nThe LVS receives the requests which are passed to the real servers which\nprocess and reply to the request.\nThis reply is forwarded to the client by the LVS.\n \nThis feature is available with the Linux 2.4/2.6 kernel.\n(If compiling kernel: Networking Options + IP: Virtual Server Configuration)\n \nConfiguration: This example will load balance http traffic to three web servers\nand ftp traffic to a fourth server.","html":"

You can use a single Linux server to forward requests to a cluster of servers\nusing iptables for IP masquerading and IPVsadm to scale your load.\nThe load balancing server receiving and routing the requests is called the "Linux Virtual Server" (LVS).\nThe LVS receives the requests which are passed to the real servers which\nprocess and reply to the request.\nThis reply is forwarded to the client by the LVS.\n \nThis feature is available with the Linux 2.4/2.6 kernel.\n(If compiling kernel: Networking Options + IP: Virtual Server Configuration)\n \nConfiguration: This example will load balance http traffic to three web servers\nand ftp traffic to a fourth server.

"},{"id":"text-629","type":"text","heading":"","plain_text":"Enable Forwarding:\n    (Also see YoLinux Networking Tutorial: Enable Forwarding)\necho "1" > /proc/sys/net/ipv4/ip_forward","html":"

Enable Forwarding:\n    (Also see YoLinux Networking Tutorial: Enable Forwarding)\necho "1" > /proc/sys/net/ipv4/ip_forward

"},{"id":"text-630","type":"text","heading":"","plain_text":"Enable IP Masquerading:\niptables -t nat -P POSTROUTING DROPiptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n For more on IP Masquerading, iptables and subnet addresses, see the\n    YoLinux network gateway tutorial.\n \nEnable virtual server:","html":"

Enable IP Masquerading:\niptables -t nat -P POSTROUTING DROPiptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n For more on IP Masquerading, iptables and subnet addresses, see the\n    YoLinux network gateway tutorial.\n \nEnable virtual server:

"},{"id":"text-631","type":"text","heading":"","plain_text":"Create virtual service and choose scheduler for http (80) and ftp (21):\nipvsadm -A -t 66.218.88.103:80 -s wlcipvsadm -A -t 66.218.88.103:21 -s wrr\n Command directives:","html":"

Create virtual service and choose scheduler for http (80) and ftp (21):\nipvsadm -A -t 66.218.88.103:80 -s wlcipvsadm -A -t 66.218.88.103:21 -s wrr\n Command directives:

"},{"id":"text-632","type":"text","heading":"","plain_text":"A: Add a virtual service defined by IP address, port number, and protocol.\n \n-t: Use TCP service host:port\n \n-s: scheduler:","html":"

A: Add a virtual service defined by IP address, port number, and protocol.\n \n-t: Use TCP service host:port\n \n-s: scheduler:

"},{"id":"text-633","type":"text","heading":"","plain_text":"rr: Robin Robin: distributes jobs equally amongst the avail-\n                            able real servers.\n \nwrr: Weighted Round Robin.\n \nlc: Least-Connection: assigns more jobs to real servers with\n                            fewer active jobs.\n \nwlc: (Default) Weighted Least-Connection: assigns more jobs to servers\n                            with fewer jobs and relative to the real server's weight.\n \nlblc, lblcr, dh, sh, sed, nq. See man page.","html":"

rr: Robin Robin: distributes jobs equally amongst the avail-\n                            able real servers.\n \nwrr: Weighted Round Robin.\n \nlc: Least-Connection: assigns more jobs to real servers with\n                            fewer active jobs.\n \nwlc: (Default) Weighted Least-Connection: assigns more jobs to servers\n                            with fewer jobs and relative to the real server's weight.\n \nlblc, lblcr, dh, sh, sed, nq. See man page.

"},{"id":"text-634","type":"text","heading":"","plain_text":"Configure load balancing cluser.\nipvsadm -a -t 66.218.88.103:80 -r 176.168.1.1:80 -mipvsadm -a -t 66.218.88.103:80 -r 176.168.1.2:80 -m -w 2ipvsadm -a -t 66.218.88.103:80 -r 176.168.1.3:80 -mipvsadm -a -t 66.218.88.103:21 -r 176.168.1.4:21 -m\n Command directives:","html":"

Configure load balancing cluser.\nipvsadm -a -t 66.218.88.103:80 -r 176.168.1.1:80 -mipvsadm -a -t 66.218.88.103:80 -r 176.168.1.2:80 -m -w 2ipvsadm -a -t 66.218.88.103:80 -r 176.168.1.3:80 -mipvsadm -a -t 66.218.88.103:21 -r 176.168.1.4:21 -m\n Command directives:

"},{"id":"text-635","type":"text","heading":"","plain_text":"-r: Real server.\n \n-m: Use masquerading also known as network address translation (NAT)\n \n-w: Weight is an integer specifying the capacity of a server relative to the others in the pool. The valid values of weight are 0 through to 65535. The default is 1.","html":"

-r: Real server.\n \n-m: Use masquerading also known as network address translation (NAT)\n \n-w: Weight is an integer specifying the capacity of a server relative to the others in the pool. The valid values of weight are 0 through to 65535. The default is 1.

"},{"id":"text-636","type":"text","heading":"","plain_text":"Links:\n \nManaging Web Server Daemons:","html":"

Links:\n \nManaging Web Server Daemons:

"},{"id":"text-637","type":"text","heading":"","plain_text":"To view if these services are\nrunning, type ps -aux and look for the httpd, inetd and named\nservices (daemons). These are background processes necessary to perform\nthe server tasks.","html":"

To view if these services are\nrunning, type ps -aux and look for the httpd, inetd and named\nservices (daemons). These are background processes necessary to perform\nthe server tasks.

"},{"id":"text-638","type":"text","heading":"","plain_text":"root 681 0.0 0.5 2304 744 ? S Sep09 0:01 named\n   nobody 28123 0.0 1.1 3036 1420 ? S Oct06 0:00 httpd\n   nobody 28186 0.0 0.7 3044 896 ? S Oct06 0:00 httpd\n   root 385 0.0 0.1 1136 232 ? S Sep09 0:00 inetd","html":"

root 681 0.0 0.5 2304 744 ? S Sep09 0:01 named\n   nobody 28123 0.0 1.1 3036 1420 ? S Oct06 0:00 httpd\n   nobody 28186 0.0 0.7 3044 896 ? S Oct06 0:00 httpd\n   root 385 0.0 0.1 1136 232 ? S Sep09 0:00 inetd

"},{"id":"text-639","type":"text","heading":"","plain_text":"A new installation will most likely NOT start the named background process\nwhich may be started manually after configuration.\n See the YoLinux Init Process Tutorial\npour plus d'informations.\n The inetd (or xinetd) background process is the Internet daemon which\nstarts FTP when an ftp request is made.","html":"

A new installation will most likely NOT start the named background process\nwhich may be started manually after configuration.\n See the YoLinux Init Process Tutorial\npour plus d'informations.\n The inetd (or xinetd) background process is the Internet daemon which\nstarts FTP when an ftp request is made.

"},{"id":"text-640","type":"text","heading":"","plain_text":"Sys Admin Script:","html":"

Sys Admin Script:

"},{"id":"text-641","type":"text","heading":"","plain_text":"Script to prepare an account: (Red Hat/Fedora)","html":"

Script to prepare an account: (Red Hat/Fedora)

"},{"id":"text-642","type":"text","heading":"","plain_text":"#!/bin/sh\n# Author Greg Ippolito\n# Requires: /opt/etc/AccountDefaults/pathmsg favicon.ico mwh-mini_tr.gif etc.\n# /opt/bin/ftponly\n# You must be root to run this script.\n#\nsi [ $# -eq 0 ]\npuis\n   echo "Enter user id as a command argument"\nelse if [ -r /home/$1 ]\npuis\n   echo "User's home directory already exists"\nautre\n   echo "1) Create user."\n   adduser -m $1","html":"

#!/bin/sh\n# Author Greg Ippolito\n# Requires: /opt/etc/AccountDefaults/pathmsg favicon.ico mwh-mini_tr.gif etc.\n# /opt/bin/ftponly\n# You must be root to run this script.\n#\nsi [ $# -eq 0 ]\npuis\n   echo "Enter user id as a command argument"\nelse if [ -r /home/$1 ]\npuis\n   echo "User's home directory already exists"\nautre\n   echo "1) Create user."\n   adduser -m $1

"},{"id":"text-643","type":"text","heading":"","plain_text":"   echo "2) Set user Password."\n   passwd $1","html":"

   echo "2) Set user Password."\n   passwd $1

"},{"id":"text-644","type":"text","heading":"","plain_text":"   echo "3) Add read access to user directory so apache can read it."\n   cd /home\n   chmod ugo+rx $1\n   cd $1","html":"

   echo "3) Add read access to user directory so apache can read it."\n   cd /home\n   chmod ugo+rx $1\n   cd $1

"},{"id":"text-645","type":"text","heading":"","plain_text":"   echo "4) Create web directories."\n   mkdir public_html\n   chown $1.$1 public_html\n   chcon -R -h -u system_u -r object_r -t httpd_sys_content_t public_html\n   cd public_html\n   mkdir images\n   chown $1.$1 images\n   chcon -R -h -u system_u -r object_r -t httpd_sys_content_t images","html":"

   echo "4) Create web directories."\n   mkdir public_html\n   chown $1.$1 public_html\n   chcon -R -h -u system_u -r object_r -t httpd_sys_content_t public_html\n   cd public_html\n   mkdir images\n   chown $1.$1 images\n   chcon -R -h -u system_u -r object_r -t httpd_sys_content_t images

"},{"id":"text-646","type":"text","heading":"","plain_text":"   # Block potential for unauthenticated logins\n   cd ../\n   touch .rhosts\n   chmod ugo-xrw .rhosts","html":"

   # Block potential for unauthenticated logins\n   cd ../\n   touch .rhosts\n   chmod ugo-xrw .rhosts

"},{"id":"text-647","type":"text","heading":"","plain_text":"   echo "5) Create default web page"\n   sed "/HEADING/s!HEADING!$1!" /opt/etc/AccountDefaults/default-index.html > index.html\n   cp -p /opt/etc/AccountDefaults/favicon.ico .\n   cp -p /opt/etc/AccountDefaults/default-logo.gif ./images\n   cp -p /opt/etc/AccountDefaults/robots.txt .\n   chown $1.$1 index.html favicon.ico robots.txt\n   chcon -R -h -t httpd_sys_content_t index.html favicon.ico robots.txt\n   chcon -R -h -t httpd_sys_content_t images/default-logo.gif","html":"

   echo "5) Create default web page"\n   sed "/HEADING/s!HEADING!$1!" /opt/etc/AccountDefaults/default-index.html > index.html\n   cp -p /opt/etc/AccountDefaults/favicon.ico .\n   cp -p /opt/etc/AccountDefaults/default-logo.gif ./images\n   cp -p /opt/etc/AccountDefaults/robots.txt .\n   chown $1.$1 index.html favicon.ico robots.txt\n   chcon -R -h -t httpd_sys_content_t index.html favicon.ico robots.txt\n   chcon -R -h -t httpd_sys_content_t images/default-logo.gif

"},{"id":"text-648","type":"text","heading":"","plain_text":"   echo "6) Edit /etc/passwd file - change user shell to /opt/bin/ftponly"\n   cp -p /etc/passwd /etc/passwd-`date +%m%d%y`\n   sed "/^$1/s!/bin/bash!/opt/bin/ftponly!" /etc/passwd-`date +%m%d%y` > /etc/passwd","html":"

   echo "6) Edit /etc/passwd file - change user shell to /opt/bin/ftponly"\n   cp -p /etc/passwd /etc/passwd-`date +%m%d%y`\n   sed "/^$1/s!/bin/bash!/opt/bin/ftponly!" /etc/passwd-`date +%m%d%y` > /etc/passwd

"},{"id":"text-649","type":"text","heading":"","plain_text":"#wu-ftp# Requires: /etc/ftpaccess guestuser restrict-uid\n#wu-ftp# echo "7) Add user to /etc/ftpaccess file"\n#wu-ftp# cp -p /etc/ftpaccess /etc/ftpaccess-`date +%m%d%y`\n#wu-ftp# sed "/^guestuser/s!guestuser !guestuser $1 !" /etc/ftpaccess-`date +%m%d%y` > /etc/ftpaccess\n#wu-ftp# sed "/^restricted-uid/s!restricted-uid !restricted-uid $1 !" /etc/ftpaccess-`date +%m%d%y` > /etc/ftpaccess\n#wu-ftp# echo "guest-root /home/$1/public_html $1" >> /etc/ftpaccess","html":"

#wu-ftp# Requires: /etc/ftpaccess guestuser restrict-uid\n#wu-ftp# echo "7) Add user to /etc/ftpaccess file"\n#wu-ftp# cp -p /etc/ftpaccess /etc/ftpaccess-`date +%m%d%y`\n#wu-ftp# sed "/^guestuser/s!guestuser !guestuser $1 !" /etc/ftpaccess-`date +%m%d%y` > /etc/ftpaccess\n#wu-ftp# sed "/^restricted-uid/s!restricted-uid !restricted-uid $1 !" /etc/ftpaccess-`date +%m%d%y` > /etc/ftpaccess\n#wu-ftp# echo "guest-root /home/$1/public_html $1" >> /etc/ftpaccess

"},{"id":"text-650","type":"text","heading":"","plain_text":"   echo "7) Add user to vsftpd chroot list\n   cat `echo $1` >> /etc/vsftpd/vsftpd.chroot_list","html":"

   echo "7) Add user to vsftpd chroot list\n   cat `echo $1` >> /etc/vsftpd/vsftpd.chroot_list

"},{"id":"text-651","type":"text","heading":"","plain_text":"   echo "8) Setting Disk Quotas to default 50Mb limit:"\n# Use user johndoe as a prototype.\n   edquota -p johndoe $1","html":"

   echo "8) Setting Disk Quotas to default 50Mb limit:"\n# Use user johndoe as a prototype.\n   edquota -p johndoe $1

"},{"id":"text-652","type":"text","heading":"","plain_text":"   echo "9) Admin Follow-up:"\n   echo " Modify quota.user if different than default"\n   echo " Make changes to Bind names services on dns1 and dns2 if necessary"\n   echo " Change /etc/http/conf/httpd.conf or \n   echo " add config to /etc/http/conf.d/ if using a new domain name"\n   echo " Add e-mail aliases to mail server if necessary"\nFi\nFi","html":"

   echo "9) Admin Follow-up:"\n   echo " Modify quota.user if different than default"\n   echo " Make changes to Bind names services on dns1 and dns2 if necessary"\n   echo " Change /etc/http/conf/httpd.conf or \n   echo " add config to /etc/http/conf.d/ if using a new domain name"\n   echo " Add e-mail aliases to mail server if necessary"\nFi\nFi

"},{"id":"text-653","type":"text","heading":"","plain_text":"FYI: Sample robots.txt files:\n \nUseful links and resources:","html":"

FYI: Sample robots.txt files:\n \nUseful links and resources:

"},{"id":"text-654","type":"text","heading":"","plain_text":"Livres:","html":"

Livres:

"},{"id":"text-655","type":"text","heading":"","plain_text":""Ubuntu Unleashed 2017 edition:"\n Covering 16.10 and 17.04, 17.10 (12th Edition)\n by Matthew Helmke, Andrew Hudson and Paul Hudson\n Sams Publishing, ISBN# 0134511182","html":"

"Ubuntu Unleashed 2017 edition:"\n Covering 16.10 and 17.04, 17.10 (12th Edition)\n by Matthew Helmke, Andrew Hudson and Paul Hudson\n Sams Publishing, ISBN# 0134511182

"},{"id":"text-656","type":"text","heading":"","plain_text":""Ubuntu Unleashed 2013 edition:"\n Covering 12.10 and 13.04 (8th Edition)\n by Matthew Helmke, Andrew Hudson and Paul Hudson\n Sams Publishing, ISBN# 0672336243\n (Dec 15, 2012)","html":"

"Ubuntu Unleashed 2013 edition:"\n Covering 12.10 and 13.04 (8th Edition)\n by Matthew Helmke, Andrew Hudson and Paul Hudson\n Sams Publishing, ISBN# 0672336243\n (Dec 15, 2012)

"},{"id":"text-657","type":"text","heading":"","plain_text":""Ubuntu Unleashed 2012 edition:"\n Covering 11.10 and 12.04 (7th Edition)\n by Matthew Helmke, Andrew Hudson and Paul Hudson\n Sams Publishing, ISBN# 0672335786\n (Jan 16, 2012)","html":"

"Ubuntu Unleashed 2012 edition:"\n Covering 11.10 and 12.04 (7th Edition)\n by Matthew Helmke, Andrew Hudson and Paul Hudson\n Sams Publishing, ISBN# 0672335786\n (Jan 16, 2012)

"},{"id":"text-658","type":"text","heading":"","plain_text":""Red Hat Enterprise Linux 7: Desktops and Administration"\n by Richard Petersen\n Surfing Turtle Press, ISBN# 1936280620\n (Jan 13, 2017)","html":"

"Red Hat Enterprise Linux 7: Desktops and Administration"\n by Richard Petersen\n Surfing Turtle Press, ISBN# 1936280620\n (Jan 13, 2017)

"},{"id":"text-659","type":"text","heading":"","plain_text":""Fedora 18 Desktop Handbook"\n by Richard Petersen\n Surfing Turtle Press, ISBN# 1936280639\n (Mar 6, 2013)","html":"

"Fedora 18 Desktop Handbook"\n by Richard Petersen\n Surfing Turtle Press, ISBN# 1936280639\n (Mar 6, 2013)

"},{"id":"text-660","type":"text","heading":"","plain_text":""Fedora 18 Networking and Servers"\n by Richard Petersen\n Surfing Turtle Press, ISBN# 1936280698\n (March 29, 2013)","html":"

"Fedora 18 Networking and Servers"\n by Richard Petersen\n Surfing Turtle Press, ISBN# 1936280698\n (March 29, 2013)

"},{"id":"text-661","type":"text","heading":"","plain_text":""Fedora 14 Desktop Handbook"\n by Richard Petersen\n Surfing Turtle Press, ISBN# 1936280167\n (Nov 30, 2010)","html":"

"Fedora 14 Desktop Handbook"\n by Richard Petersen\n Surfing Turtle Press, ISBN# 1936280167\n (Nov 30, 2010)

"},{"id":"text-662","type":"text","heading":"","plain_text":""Fedora 14 Administration and Security"\n by Richard Petersen\n Surfing Turtle Press, ISBN# 1936280221\n (Jan 6, 2011)","html":"

"Fedora 14 Administration and Security"\n by Richard Petersen\n Surfing Turtle Press, ISBN# 1936280221\n (Jan 6, 2011)

"},{"id":"text-663","type":"text","heading":"","plain_text":""Fedora 14 Networking and Servers"\n by Richard Petersen\n Surfing Turtle Press, ISBN# 1936280191\n (Dec 26, 2010)","html":"

"Fedora 14 Networking and Servers"\n by Richard Petersen\n Surfing Turtle Press, ISBN# 1936280191\n (Dec 26, 2010)

"},{"id":"text-664","type":"text","heading":"","plain_text":""Practical Guide to Ubuntu Linux (Versions 8.10 and 8.04)"\n by Mark Sobell\n Prentice Hall PTR, ISBN# 0137003889\n 2 edition (January 9, 2009)","html":"

"Practical Guide to Ubuntu Linux (Versions 8.10 and 8.04)"\n by Mark Sobell\n Prentice Hall PTR, ISBN# 0137003889\n 2 edition (January 9, 2009)

"},{"id":"text-665","type":"text","heading":"","plain_text":""Fedora 10 and Red Hat Enterprise Linux Bible"\n by Christopher Negus\n Wiley, ISBN# 0470413395","html":"

"Fedora 10 and Red Hat Enterprise Linux Bible"\n by Christopher Negus\n Wiley, ISBN# 0470413395

"},{"id":"text-666","type":"text","heading":"","plain_text":""Red Hat Fedora 6 and Enterprise Linux Bible"\n by Christopher Negus\n Sams, ISBN# 047008278X","html":"

"Red Hat Fedora 6 and Enterprise Linux Bible"\n by Christopher Negus\n Sams, ISBN# 047008278X

"},{"id":"text-667","type":"text","heading":"","plain_text":""Fedora 7 & Red Hat Enterprise Linux: The Complete Reference"\n by Richard Petersen\n Sams, ISBN# 0071486429","html":"

"Fedora 7 & Red Hat Enterprise Linux: The Complete Reference"\n by Richard Petersen\n Sams, ISBN# 0071486429

"},{"id":"text-668","type":"text","heading":"","plain_text":""Red Hat Fedora Core 6 Unleashed"\n by Paul Hudson, Andrew Hudson\n Sams, ISBN# 0672329298","html":"

"Red Hat Fedora Core 6 Unleashed"\n by Paul Hudson, Andrew Hudson\n Sams, ISBN# 0672329298

"},{"id":"text-669","type":"text","heading":"","plain_text":""Red Hat Linux Fedora 3 Unleashed"\n by Bill Ball, Hoyt Duff\n Sams, ISBN# 0672327082","html":"

"Red Hat Linux Fedora 3 Unleashed"\n by Bill Ball, Hoyt Duff\n Sams, ISBN# 0672327082

"},{"id":"text-670","type":"text","heading":"","plain_text":""Red Hat Linux 9 Unleashed"\n by Bill Ball, Hoyt Duff\n Sams, ISBN# 0672325888\n May 8, 2003","html":"

"Red Hat Linux 9 Unleashed"\n by Bill Ball, Hoyt Duff\n Sams, ISBN# 0672325888\n May 8, 2003

"},{"id":"text-671","type":"text","heading":"","plain_text":"I have the Red Hat 6 version and I have found it to be very helpful.\n    I have found it to be way more complete than the other Linux books.\n    It is the most complete general Linux book in publication. While other\n    books in the "Unleashed" series have dissapointed me, this book\n    is the best out there.","html":"

I have the Red Hat 6 version and I have found it to be very helpful.\n    I have found it to be way more complete than the other Linux books.\n    It is the most complete general Linux book in publication. While other\n    books in the "Unleashed" series have dissapointed me, this book\n    is the best out there.

"},{"id":"text-672","type":"text","heading":"","plain_text":""Apache Server Bible 2"\n by Mohammed J. Kabir\n ISBN # 0764548212, Hungry Minds","html":"

"Apache Server Bible 2"\n by Mohammed J. Kabir\n ISBN # 0764548212, Hungry Minds

"},{"id":"text-673","type":"text","heading":"","plain_text":"This book is very complete covering all aspects in detail. Ce n'est pas\n    your basic reprint of the apache.org documents like so many others.","html":"

This book is very complete covering all aspects in detail. Ce n'est pas\n    your basic reprint of the apache.org documents like so many others.

"},{"id":"text-674","type":"text","heading":"","plain_text":""Pro DNS and Bind"\n by Ronald Aitchison\n Apress, ISBN# 1590594940","html":"

"Pro DNS and Bind"\n by Ronald Aitchison\n Apress, ISBN# 1590594940

"},{"id":"text-675","type":"text","heading":"","plain_text":"Click to rate this post!\n \n [Total: 0 Average: 0]","html":"

Click to rate this post!\n \n [Total: 0 Average: 0]

"}],"sections":[{"id":"text-1","heading":"Text","content":"Prérequis du site Web:"},{"id":"text-2","heading":"Text","content":"Ce tutoriel suppose que Linux est installé et fonctionne sur un ordinateur.\nVoir Installation de RedHat\npour les bases. Une connexion à Internet est également supposée.\nUne connexion de 128 Mbits / s ou plus donnera les meilleurs résultats.\nISDN, DSL, modem câble ou mieux sont tous appropriés.\nUn modem 56k fonctionnera mais les résultats seront au mieux médiocres.\nLes tâches doivent également être effectuées avec le nom d'utilisateur et le mot de passe de l'utilisateur root."},{"id":"text-3","heading":"Text","content":"Aucune distribution ne semble avoir un avantage. Une distribution Ubuntu, SuSe, Fedora, Red Hat ou CentOS inclura tous les logiciels dont vous aurez besoin pour configurer un serveur Web.\nSi vous utilisez Red Hat Enterprise Linux, l'édition Workstation ou Server répondra à vos besoins, à l'exception du fait que l'édition Workstation n'inclura pas le package vsFTP. Il devra être compilé à partir de la source ou utiliser sftp."},{"id":"text-4","heading":"Text","content":"Prérequis logiciels: Le serveur Web Apache (httpd),\nFTP (nécessite xinetd ou inetd)\net Bind (nommé)\nles progiciels avec leurs dépendances sont tous nécessaires.\nOn peut utiliser le rpm commande pour vérifier l'installation:"},{"id":"text-5","heading":"Text","content":"Fedora Core 1+, Red Hat Enterprise 4/5, CentOS 4/5:"},{"id":"text-6","heading":"Text","content":"rpm -q httpd bind bind-chroot bind-utils system-config-bind xinetd vsftpd\n \n RPM ajoutés FC2 +: system-config-httpd\n RPM ajoutés FC3 +: httpd-suexec"},{"id":"text-7","heading":"Text","content":"Chapeau rouge 9.0\n rpm -q httpd lier xinetd vsftpd\nUn RPM wu-ftpd Red Hat 8.0 peut être installé (version plus récente, version 2.6.2 ou ultérieure, avec correctif de sécurité). wu-ftpd-2.6.2-11) ou installer à partir de la source (rev 14)."},{"id":"text-8","heading":"Text","content":"Red Hat 8.0\n rpm -q httpd lie xinetd wu-ftpd"},{"id":"text-9","heading":"Text","content":"Red Hat 7.x:\n rpm -q apache bind inetd wu-ftpd\nUtilisez wu-ftpd version 2.6.2 ou ultérieure pour éviter les problèmes de sécurité."},{"id":"text-10","heading":"Text","content":"SuSE 9.3:\n rpm -ivh apache2 apache2-prefork lier lier-chrootenv lier-utils vsftpd\nRemarque: apache2-MPM est un terme générique désignant les options d'installation d'Apache.\npour "Modules de traitement multiple (MPM)", "prefork" ou "worker". Si vous essayez\net installez uniquement apache2, vous obtiendrez l’erreur suivante:\n apache2-MPM est nécessaire pour apache2-2.0.53-9\nVoir aussi Apache.org: MPMs"},{"id":"text-11","heading":"Text","content":"Ubuntu (natty 11.04 / 14.04) / Debian:"},{"id":"text-12","heading":"Text","content":"apt-get install apache2\n   apt-get install bind9\n   apt-get install vsftpd"},{"id":"text-13","heading":"Text","content":"Ubuntu (dapper 6.06 / hardy 8.04) / Debian:"},{"id":"text-14","heading":"Text","content":"apt-get install apache2 apache2 commun apache2-mpm-prefork apache2-utils\n   apt-get install bind9\n   apt-get install vsftpd"},{"id":"text-15","heading":"Text","content":"Vous devez également avoir une connaissance pratique du processus init Linux afin que ces services soient lancés au démarrage du système.\nConsultez le tutoriel sur le processus d'initialisation YoLinux pour plus d'informations."},{"id":"text-16","heading":"Text","content":"Configuration du serveur Web HTTP Apache:"},{"id":"text-17","heading":"Text","content":"Le fichier de configuration du serveur Web Apache est: /etc/httpd/conf/httpd.conf"},{"id":"text-18","heading":"Text","content":"Les pages Web sont servies à partir de l'annuaire tel que configuré par le\n DocumentRoot directif. L'emplacement du répertoire par défaut est:"},{"id":"text-19","heading":"Text","content":"Distribution Linux\nServeur Web Apache "DocumentRoot""},{"id":"text-20","heading":"Text","content":"Red Hat 7.x-9, Fedora Core, Red Hat Enterprise 4/5/6, CentOS 4/5/6\n / var / www / html /"},{"id":"text-21","heading":"Text","content":"Red Hat 6.x et plus\n / home / httpd / html /"},{"id":"text-22","heading":"Text","content":"Suse 9.x\n / srv / www / htdocs /"},{"id":"text-23","heading":"Text","content":"Ubuntu (dapper 6.06) / Debian\n / var / www / html"},{"id":"text-24","heading":"Text","content":"Ubuntu (hardy 8.04 / natty 11.04 / fidèle 14.04) / Debian\n / var / www"},{"id":"text-25","heading":"Text","content":"La page d'accueil par défaut pour la configuration par défaut est index.html.\nNotez que les pages ne doivent pas appartenir à l'utilisateur apache comme c'est le\npropriétaire du processus du démon du serveur Web httpd. Si le processus du serveur Web est\ncompromis, il ne devrait pas être autorisé à modifier les fichiers. Les fichiers\ndevrait bien sûr être lisible par l'utilisateur apache."},{"id":"text-26","heading":"Text","content":"Apache peut être configuré pour s'exécuter de cette manière en tant qu'hôte pour un site Web.\nou il peut être configuré pour servir pour plusieurs domaines. Servir pour plusieurs\nLes domaines peuvent être atteints de deux manières:"},{"id":"text-27","heading":"Text","content":"Hôtes virtuels: Une adresse IP mais plusieurs domaines – Hébergement virtuel "basé sur le nom"."},{"id":"text-28","heading":"Text","content":"Plusieurs hôtes virtuels basés sur IP: Une adresse IP pour chaque domaine – Hébergement virtuel "basé sur IP"."},{"id":"text-29","heading":"Text","content":"La configuration par défaut permettra à l'un d'avoir plusieurs comptes d'utilisateurs\nsous un domaine en utilisant une référence au compte d'utilisateur:\n http: // www.domain.com/ ~ utilisateur1 /.\nSi aucun domaine n'est enregistré ou configuré, l'adresse IP peut également être utilisée:\n http: //XXX.XXX.XXX.XXX/ ~ utilisateur1 /."},{"id":"text-30","heading":"Text","content":"[Potential Pitfall] \nLe umask par défaut pour la création de répertoire est correct par défaut mais s'il ne l'est pas, utilisez:\n chmod 755 / home /utilisateur1/ public_html"},{"id":"text-31","heading":"Text","content":"[Potential Pitfall] Lors de la création de "Annuaire"\ndirectives de configuration,\nJ'ai trouvé que les placer par l'existant "Annuaire"directives\nêtre une mauvaise idée.\nIl n'utiliserait pas le .htaccess fichier. C'était parce que la déclaration\ndéfinir l'utilisation de la .htaccess le fichier était après la\n"Annuaire"déclaration. Précédemment dans RH 6.x\nles fichiers ont été séparés et l'ordre a été défini un peu différent.\nJe place maintenant de nouveaux "Annuaire"déclarations vers la fin du fichier juste\navant le "VirtualHost"déclarations."},{"id":"text-32","heading":"Text","content":"Pour les utilisateurs de Red Hat 7.1, l'outil de configuration de l'interface graphique apacheconf\na été introduit pour la foule qui aime utiliser de jolis outils de pointer et cliquer."},{"id":"text-33","heading":"Text","content":"Fichiers utilisés par Apache:"},{"id":"text-34","heading":"Text","content":"Script de démarrage / arrêt / redémarrage:"},{"id":"text-35","heading":"Text","content":"Red Hat / Fedora / CentOS: /etc/rc.d/init.d/httpd\n \nSuSE 9.3: /etc/init.d/apache2\n \nUbuntu (dapper 6.06 / hardy 8.04 / natty 11.04 / trusty 14.04) / Debian: /etc/init.d/apache2"},{"id":"text-36","heading":"Text","content":"Fichier de configuration principal Apache:"},{"id":"text-37","heading":"Text","content":"Red Hat / Fedora / CentOS: /etc/httpd/conf/httpd.conf\n \nSuSE: /etc/apache2/httpd.conf\n (Nécessité d'ajouter une directive: Nom du serveur nom d'hôte)\n \nUbuntu (dapper 6.06 / hardy 8.04 / natty 11.04 / trusty 14.04) / Debian: /etc/apache2/apache2.conf"},{"id":"text-38","heading":"Text","content":"Fichiers de configuration supplémentaires Apache:"},{"id":"text-39","heading":"Text","content":"Red Hat / Fedora / CentOS: /etc/httpd/conf.d/composant.conf\n \nSuSE: /etc/apache2/conf.d/composant.conf\n \nUbuntu (dapper 6.06 / hardy 8.04 / natty 11.04 / trusty 14.04) / Debian:"},{"id":"text-40","heading":"Text","content":"Domaines virtuels: / etc / apache2 / sites-enabled /domaine\n (Créer un lien symbolique à partir de / etc / apache2 / sites-enabled /domaine à / etc / apache2 / sites-available /domaine pour allumer. Utiliser la commande a2ensite)\n \nDirectives de configuration supplémentaires: /etc/apache2/conf.d/\n \nModules à charger: / etc / apache2 / mods-available /\n (Lien symbolique vers / etc / apache2 / mods-enabled / pour allumer)\n \nPorts à écouter: /etc/apache2/ports.conf"},{"id":"text-41","heading":"Text","content":"/ var / log / httpd / access_log et error_log –\n    Fichiers journaux Apache Red Hat / Fedora Core\n (Suse: / var / log / apache2 /)"},{"id":"text-42","heading":"Text","content":"Démarrer / Arrêter / Redémarrer les scripts:\nLe script doit être exécuté avec les qualificatifs début, Arrêtez,\n redémarrer ou statut.\n c'est à dire.\n /etc/rc.d/init.d/httpd restart. Un redémarrage permet au serveur Web\npour redémarrer et lire les fichiers de configuration pour prendre en compte les modifications.\nPour que ce script soit appelé au démarrage du système, lancez la commande\n chkconfig --add httpd.\nVoir le tutoriel sur le processus Linux Init pour\nune discussion plus complète."},{"id":"text-43","heading":"Text","content":"Aussi outil de contrôle Apache: / usr / sbin / apachectl start"},{"id":"text-44","heading":"Text","content":"Apache Control Command: apachectl:"},{"id":"text-45","heading":"Text","content":"Red Hat / Fedora Core / CentOS: apachectl directif"},{"id":"text-46","heading":"Text","content":"Ubuntu dapper 6.06 / hardy 8.04 / natty 11.04 / trusty 14.04 / Debian: apachectl (lien logiciel vers apache2ctl) ou apache2ctl directif"},{"id":"text-47","heading":"Text","content":"Directif\nLa description"},{"id":"text-48","heading":"Text","content":"début\nDémarrez le démon Apache httpd. Donne une erreur s'il est déjà en cours d'exécution."},{"id":"text-49","heading":"Text","content":"Arrêtez\nArrête le démon Apache httpd."},{"id":"text-50","heading":"Text","content":"gracieux\nRedémarre gracieusement le démon Apache httpd. Si la\nle démon n'est pas en cours d'exécution, il est démarré. Cela diffère d'une normale\nredémarrer en ce que les connexions actuellement ouvertes ne sont pas abandonnées."},{"id":"text-51","heading":"Text","content":"gracieux-stop\nArrête gracieusement le démon Apache httpd. Cela diffère d'une normale\nredémarrer en ce que les connexions actuellement ouvertes ne sont pas abandonnées."},{"id":"text-52","heading":"Text","content":"redémarrer\nRedémarre le démon httpd Apache. Si le démon est\nne marche pas, c'est commencé. Cette commande vérifie automatiquement la\nfichiers de configuration comme dans configtest avant de lancer le redémarrage\nassurez-vous que le démon ne meurt pas."},{"id":"text-53","heading":"Text","content":"statut\nAffiche un bref rapport de statut."},{"id":"text-54","heading":"Text","content":"statut complet\nAffiche un rapport d'état complet de\nétat_modal. Requiert l'activation de mod_status sur votre serveur et une base de données textuelle\nnavigateur tel que Lynx disponible sur votre système. L'URL utilisée pour accéder\nle rapport d'état peut être défini en modifiant la variable STATUSURL dans le\nscénario."},{"id":"text-55","heading":"Text","content":"configtest-t\nExécutez un test de syntaxe du fichier de configuration."},{"id":"text-56","heading":"Text","content":"Outil de contrôle Apache: apachectl – page de manuel"},{"id":"text-57","heading":"Text","content":"Fichiers de configuration Apache:"},{"id":"text-58","heading":"Text","content":"/etc/httpd/conf/httpd.conf: est utilisé pour configurer Apache.\nDans le passé, il était divisé en trois fichiers. Ceux-ci peuvent maintenant être tous\nconcaténés dans un fichier.\nVoir la documentation en ligne Apache\npour le manuel complet."},{"id":"text-59","heading":"Text","content":"/etc/httpd/conf.d/application.conf: Tous les fichiers de configuration\n    dans ce répertoire sont inclus lors du démarrage d’Apache. Utilisé pour stocker des configurations spécifiques à une application."},{"id":"text-60","heading":"Text","content":"/ etc / sysconfig / httpd: Contient les variables d'environnement utilisées lors du démarrage d'Apache."},{"id":"text-61","heading":"Text","content":"Paramètres de base: Changer la valeur par défaut pour NomServeur www. <votre-domaine.com>"},{"id":"text-62","heading":"Text","content":"Autoriser Apache à accéder au système de fichiers: Il est prudent de limiter Apache\nvue du système de fichiers uniquement aux répertoires nécessaires. Ceci est fait avec\nla déclaration de répertoire.\nCommencez par refuser l'accès à tout, puis accordez l'accès aux ressources nécessaires.\ndes répertoires."},{"id":"text-63","heading":"Text","content":"Refuser complètement l'accès à la racine du système de fichiers ("/") par défaut:"},{"id":"text-64","heading":"Text","content":"Commencez par refuser, puis accordez les autorisations:"},{"id":"text-65","heading":"Text","content":"Options Aucune\n   AllowOverride None"},{"id":"text-66","heading":"Text","content":"Définissez l'emplacement par défaut des pages Web du système et autorisez l'accès: (Red Hat / Fedora / CentOS)"},{"id":"text-67","heading":"Text","content":"DocumentRoot "/ var / www / html""},{"id":"text-68","heading":"Text","content":"Index des options FollowSymLinks\n   AllowOverride None\n   Ordre permettre, refuser\n   Autoriser de tous\n   Exiger tout accordé - Ceci est requis pour Apache 2.4+"},{"id":"text-69","heading":"Text","content":"Note: la directive "Exiger tout accordé"est nouveau depuis Apache httpd 2.4.3."},{"id":"text-70","heading":"Text","content":"Le comportement hérité peut être obtenu avec la commande: sudo a2enmod access_compat\nAccorder l'accès au répertoire Web d'un utilisateur: public_html"},{"id":"text-71","heading":"Text","content":"Activation de Red Hat / Fedora Linux, Apache public_html accès au répertoire utilisateur:\nCela permettra aux utilisateurs de servir le contenu de leurs répertoires personnels dans le sous-répertoire "/maison/identifiant d'utilisateur/ public_html /"en accédant à l'URL http: //nom d'hôte/ ~ userid /"},{"id":"text-72","heading":"Text","content":"Fichier: /etc/httpd/conf/httpd.conf"},{"id":"text-73","heading":"Text","content":"LoadModule userdir_module modules / mod_userdir.so"},{"id":"text-74","heading":"Text","content":"...\n..."},{"id":"text-75","heading":"Text","content":"#UserDir disable - Ajoute un commentaire à cette ligne\n #\n    # Pour permettre aux requêtes à / ~ utilisateur / de servir le public_html de l'utilisateur\n    # répertoire, supprimez la ligne "UserDir disable" ci-dessus et supprimez le commentaire\n    # la ligne suivante à la place:\n UserDir public_html # Décommenter cette ligne"},{"id":"text-76","heading":"Text","content":"...\n..."},{"id":"text-77","heading":"Text","content":"AllowOverride FileInfo AuthConfig Limit\n    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec\n \n Ordre permettre, refuser\n        Autoriser de tous\n \n \n \n \n \n Ordre nier, permettre\n        Refuser à tous"},{"id":"text-78","heading":"Text","content":"Passer à un commentaire (ajouter "#" au début de la ligne) à partir de Fedora Core par défaut UserDir désactiver et assigner le répertoire public_html en tant que répertoire accessible du serveur Web.\n OU\n Attribuez à un seul utilisateur la possibilité spécifique de partager son répertoire:"},{"id":"text-79","heading":"Text","content":"Les index des options incluent FollowSymLinks\n   AllowOverride None\n   ordre autoriser, refuser\n   permettre à tous\n   Exiger tout accordé - Ceci est requis pour Apache 2.4+"},{"id":"text-80","heading":"Text","content":"Permet à l'utilisateur spécifique, "utilisateur1"seulement, la possibilité de servir le répertoire /maison/utilisateur1/ public_html /\nUtilisez également la commande SELinux pour définir le contexte de sécurité: setsebool httpd_enable_homedirs true"},{"id":"text-81","heading":"Text","content":"Autorisations de répertoire: Le démon du serveur Web Apache doit pouvoir lire votre site Web.\npages afin d’alimenter leur contenu sur le réseau. Utilisez un approprié\numask et protection de fichiers. Autoriser l'accès au répertoire Web: chmod ugo + rx -R public_html.\n Notez que le répertoire de l'utilisateur doit également avoir les autorisations appropriées car il est le parent de public_html.\n Autorisations par défaut sur le répertoire de l'utilisateur: ls -l / home\n drwx ------ 20 utilisateur1 utilisateur1 4096 5 mars 12:16 utilisateur1\n Autorisez l’accès au serveur Web à exploiter le répertoire parent: chmod ugo + x / home / user1\n d-wx - x - x 20 utilisateur1 utilisateur1 4096 5 mars 12:16 utilisateur1"},{"id":"text-82","heading":"Text","content":"On peut également utiliser des groupes pour contrôler les autorisations.\nVoir le tutoriel YoLinux sur la gestion des groupes."},{"id":"text-83","heading":"Text","content":"Activer Apache d'Ubuntu public_html accès au répertoire utilisateur:\nUbuntu a découpé les directives du module chargeable Apache dans le répertoire\n/ etc / apache2 / mods-available /.\nPour activer un module Apache, générez des liens symboliques vers le répertoire / etc / apache2 / sites-enabled / en utilisant les commandes a2enmod/a2dismod activer / désactiver les modules Apache."},{"id":"text-84","heading":"Text","content":"Exemple:"},{"id":"text-85","heading":"Text","content":"[root@node2]# a2enmod\n Une liste des modules disponibles est affichée. Entrez "userdir" comme module à activer."},{"id":"text-86","heading":"Text","content":"Redémarrez Apache avec la commande suivante: /etc/init.d/apache2 force-reload"},{"id":"text-87","heading":"Text","content":"Remarque: Cela revient à générer manuellement les deux liens symboliques suivants:"},{"id":"text-88","heading":"Text","content":"ln -s /etc/apache2/mods-available/userdir.conf /etc/apache2/mods-enabled/userdir.conf"},{"id":"text-89","heading":"Text","content":"ln -s /etc/apache2/mods-available/userdir.load /etc/apache2/mods-enabled/userdir.load"},{"id":"text-90","heading":"Text","content":"Page de manuel: a2enmod / a2dismod"},{"id":"text-91","heading":"Text","content":"[Potential Pitfall]: Si le serveur Web Apache ne peut pas accéder au fichier, vous obtiendrez le message d'erreur "403 interdit" "Vous n'avez pas la permission d'accéder nom de fichier sur ce serveur. "\nNotez que les autorisations par défaut sur un répertoire utilisateur lors de sa création avec "useradd" sont les suivantes:"},{"id":"text-92","heading":"Text","content":"drwx ------ 3 userx userx\nVous devez autoriser le serveur Web exécuté en tant qu'utilisateur "apache" à accéder au répertoire s'il doit afficher les pages qu'il contient."},{"id":"text-93","heading":"Text","content":"Correction avec la commande: chmod ugo + rx / home / userx"},{"id":"text-94","heading":"Text","content":"drwxr-xr-x 3 userx userx"},{"id":"text-95","heading":"Text","content":"Ordre de fonctionnement du fichier de configuration:\nLes directives de configuration sont affectées dans l'ordre dans lequel elles sont lues.\nCeci est important sinon un comportement inattendu peut en résulter."},{"id":"text-96","heading":"Text","content":"Les fichiers de configuration Red Hat / CentOS / Fedora / AWS sont lus dans l'ordre suivant:"},{"id":"text-97","heading":"Text","content":"/etc/httpd/conf/httpd.conf\n lit les fichiers d'inclusion "Inclure conf.modules.d / *. Conf" et "IncludeOptional conf.d / *. Conf""},{"id":"text-98","heading":"Text","content":"/etc/httpd/conf.modules/*.conf"},{"id":"text-99","heading":"Text","content":"/etc/httpd/conf.d/*.conf (généralement des définitions de domaine virtuel pour divers sites Web)\n Les fichiers de configuration sont lus dans l'ordre alphabétique."},{"id":"text-100","heading":"Text","content":"Les fichiers de configuration Ubuntu / Debian sont lus dans l'ordre suivant:"},{"id":"text-101","heading":"Text","content":"/etc/apache2/apache2.conf\n lit les fichiers d'inclusion"},{"id":"text-102","heading":"Text","content":"/etc/apache2/mods-enabled/*.load"},{"id":"text-103","heading":"Text","content":"/etc/apache2/mods-enabled/*.conf"},{"id":"text-104","heading":"Text","content":"/etc/apache2/conf-enabled/*.conf"},{"id":"text-105","heading":"Text","content":"/etc/apache2/sites-enabled/*.conf (généralement des définitions de domaine virtuel pour divers sites Web)\n Les fichiers de configuration sont lus dans l'ordre alphabétique."},{"id":"text-106","heading":"Text","content":"La valeur par défaut du serveur pour l'accès à l'aide de l'adresse IP est généralement le premier domaine défini dans "conf.d / *. conf"tel que défini par l'ordre alphabétique.\nC'est également ce que voient les pirates sur le site lors de l'analyse du réseau via des adresses IP.\nC'est souvent une malédiction d'avoir un domaine commençant par la lettre "a" car des serveurs mal configurés dirigeront tout le trafic des hackers vers ce site.\nPar conséquent, il est recommandé de générer une configuration par défaut pour l’accès aux adresses IP."},{"id":"text-107","heading":"Text","content":"Fichier: /etc/httpd/conf.d/1st.conf (Ubuntu: /etc/apache2/sites-enabled/1st.conf)"},{"id":"text-108","heading":"Text","content":"DirectoryIndex index.html"},{"id":"text-109","heading":"Text","content":"NomServeur www4.defaultdomain.com\n    DocumentRoot / srv / www / default / html\n    ErrorLog /var/log/httpd/1st-error.log\n    TransferLog /var/log/httpd/1st-access.log\n \n Options FollowSymLinks\n        AllowOverride None\n \n \n \n \n \n Options FollowSymLinks MultiViews Inclut\n        IndexOptions SuppressLastModified SuppressDescription\n        AllowOverride All\n        Ordre permettre, refuser\n        permettre à tous"},{"id":"text-110","heading":"Text","content":"Page Web par défaut: /srv/www/default/html/index.html devrait être une simple page statique sans accès à la base de données ou au CMS.\nAprès tout, les seuls qui se retrouvent ici sont les pirates.\nContextes de sécurité SELinux:\nFedora Core 3 et Red Hat Enterprise Linux 4 ont introduit les règles de sécurité et les étiquettes de contexte SELinux (Security Enhanced Linux).\n \nPour afficher les étiquettes de contexte de sécurité appliquées à vos fichiers de page Web, utilisez la commande\ncommander: ls -Z\nLe système active / désactive les politiques SELinux dans le fichier. / etc / selinux / config\n SELinux peut être désactivé en définissant la directive SELINUX. (Ensuite, redémarrez le système):"},{"id":"text-111","heading":"Text","content":"SELINUX = désactivé"},{"id":"text-112","heading":"Text","content":"ou en utilisant la commande setenforce 0 désactiver temporairement SELinux jusqu'au prochain redémarrage."},{"id":"text-113","heading":"Text","content":"Lorsque vous utilisez les fonctions de sécurité de SELinux,\nles étiquettes de contexte de sécurité doivent être ajoutées pour qu'Apache puisse lire vos fichiers.\nL'étiquette de contexte de sécurité par défaut utilisée est héritée du répertoire des fichiers nouvellement créés. Donc une copie (cp) doit être utilisé et non un mouvement (mv)\nlors du placement de fichiers dans le répertoire de contenu. Déplacer ne crée pas un nouveau\nfichier et donc le fichier ne reçoit pas le contexte de sécurité du répertoire\nétiquette.\nLes étiquettes de contexte utilisées pour les répertoires Apache par défaut peuvent être\nvu\navec la commande: ls -Z / var / www\n Les répertoires Web des utilisateurs (c'est-à-dire public_html) devrait\nêtre défini avec l'étiquette de contexte appropriée (httpd_sys_content_t).\n \nAttribuez un contexte de sécurité pour les pages Web: chcon -R -h -t httpd_sys_content_t / home /utilisateur1/ public_html\n Options:"},{"id":"text-114","heading":"Text","content":"-R: récursif. Fichiers et répertoires du répertoire en cours et de tous les sous-répertoires."},{"id":"text-115","heading":"Text","content":"-h: affecte les liens symboliques."},{"id":"text-116","heading":"Text","content":"-t: spécifie le type de contexte de sécurité."},{"id":"text-117","heading":"Text","content":"Utilisez les contextes de sécurité suivants:"},{"id":"text-118","heading":"Text","content":"Type de contexte\nLa description"},{"id":"text-119","heading":"Text","content":"httpd_sys_content_t\nUtilisé pour le contenu Web statique. c'est-à-dire des pages Web HTML."},{"id":"text-120","heading":"Text","content":"httpd_sys_script_exec_t\nUtiliser pour les scripts CGI exécutables ou les exécutables binaires."},{"id":"text-121","heading":"Text","content":"httpd_sys_script_rw_t\nCGI est autorisé à modifier / supprimer des fichiers de ce contexte."},{"id":"text-122","heading":"Text","content":"httpd_sys_script_ra_t\nCGI est autorisé à lire ou à annexer des fichiers de ce contexte."},{"id":"text-123","heading":"Text","content":"httpd_sys_script_ro_t\nCGI est autorisé à lire les fichiers et les répertoires de ce contexte."},{"id":"text-124","heading":"Text","content":"Définissez les options suivantes: setsebool httpd-option vrai\n (ou réglé sur faux)"},{"id":"text-125","heading":"Text","content":"Politique\nLa description"},{"id":"text-126","heading":"Text","content":"httpd_enable_cgi \nAutoriser le support de httpd cgi."},{"id":"text-127","heading":"Text","content":"httpd_enable_homedirs \nAutoriser httpd à lire les répertoires personnels."},{"id":"text-128","heading":"Text","content":"httpd_ssi_exec \nAutorisez httpd à exécuter les exécutables SSI dans le même domaine que les scripts CGI du système."},{"id":"text-129","heading":"Text","content":"Puis redémarrez Apache:"},{"id":"text-130","heading":"Text","content":"Red Hat / Fedora / Suse et tous les systèmes Linux basés sur un script d'initialisation System V: /etc/init.d/httpd restart"},{"id":"text-131","heading":"Text","content":"Red Hat / Fedora: service httpd restart"},{"id":"text-132","heading":"Text","content":"Les valeurs booléennes SE par défaut sont spécifiées dans le fichier: / etc / selinux / target / booleans"},{"id":"text-133","heading":"Text","content":"Pour plus d’informations sur SELinux, reportez-vous au tutoriel sur l’administration de systèmes YoLinux."},{"id":"text-134","heading":"Text","content":"Hôtes Virtuels:\nLe serveur Web Apache permet de configurer un seul ordinateur pour représenter plusieurs sites Web comme s'ils se trouvaient sur des hôtes distincts.\nDeux méthodes sont disponibles et nous décrivons la configuration de chacune. Choisissez une méthode pour votre domaine:"},{"id":"text-135","heading":"Text","content":"Nom d'hôte virtuel: (le plus commun)\n    Un seul ordinateur avec une seule adresse IP prenant en charge plusieurs domaines Web.\n    Le navigateur Web utilisant le protocole http identifie le domaine en cours d’adresse."},{"id":"text-136","heading":"Text","content":"Hôte virtuel basé sur IP:\n    Les hôtes virtuels peuvent être configurés comme un seul ordinateur multi-hébergé avec plusieurs adresses IP sur une seule carte réseau, chaque adresse IP représentant un domaine Web différent.\n    Cela a l'apparence d'un domaine Web pris en charge par un ordinateur dédié car il possède une adresse IP dédiée."},{"id":"text-137","heading":"Text","content":"Configuration d'un hôte virtuel "basé sur le nom":\nUne configuration d'hôte virtuel permet d'héberger plusieurs domaines de site Web sur un serveur.\n(Cela n'est pas nécessaire pour un serveur Linux dédié hébergeant un seul site Web.)"},{"id":"text-138","heading":"Text","content":"NameVirtualHost XXX.XXX.XXX.XXX"},{"id":"text-139","heading":"Text","content":"<VirtualHost XXX.XXX.XXX.XXX>Nom du serveur www.votre-domaine.com - CNAME (alias DNS www) spécifié dans (/ var / named / ...)\n ServerAlias votre-domaine.com - Autorise les requêtes sans le préfixe "www".\n ServerAdmin utilisateur1@votre-domaine.com\n \n \n \n DocumentRoot / home /utilisateur1/ public_htmlLogs ErrorLog /votre-domaine.com-error_log\n   Journaux TransferLog /votre-domaine.com-access_log"},{"id":"text-140","heading":"Text","content":"Remarques:"},{"id":"text-141","heading":"Text","content":"Vous pouvez spécifier plusieurs adresses IP. c'est à dire si web\nserveur est également utilisé comme pare-feu / passerelle et vous avez un\nadresse IP Internet externe ainsi qu’une adresse IP de réseau local."},{"id":"text-142","heading":"Text","content":"NameVirtualHost XXX.XXX.XXX.XXX"},{"id":"text-143","heading":"Text","content":"NameVirtualHost 192.168.XXX.XXX"},{"id":"text-144","heading":"Text","content":"<VirtualHost XXX.XXX.XXX.XXX 192.168.XXX.XXX>\n   ...\n   .."},{"id":"text-145","heading":"Text","content":"Reportez-vous au didacticiel YoLinux pour configurer un routeur / pare-feu réseau avec iptables et NAT."},{"id":"text-146","heading":"Text","content":"Utilisez votre adresse IP pour XXX.XXX.XXX.XXX, nom de domaine et adresse e-mail actuels.\n On peut utiliser les vues DNS pour fournir différents résultats DNS du réseau local."},{"id":"text-147","heading":"Text","content":"L'adresse IP de l'hôte peut être référencée de manière générique pour fonctionner sur toutes les cartes réseau:"},{"id":"text-148","heading":"Text","content":"<VirtualHost *: 80>\n   ...\n   .."},{"id":"text-149","heading":"Text","content":"Remarque Cette méthode est recommandée pour les hébergements basés sur NAT, tels qu'Amazon Web Services (AWS) EC2."},{"id":"text-150","heading":"Text","content":"Notez que je configure Apache pour les deux demandes http: // www.nom de domaine.com et http: //nom de domaine.com."},{"id":"text-151","heading":"Text","content":"Une fois les hôtes virtuels configurés, votre système par défaut\n    domaine (/ var / www / html) cessera de fonctionner.\n    Votre domaine par défaut doit maintenant être configuré en tant que domaine virtuel."},{"id":"text-152","heading":"Text","content":"... Cette partie reste la même\n \n \n \n .."},{"id":"text-153","heading":"Text","content":"# Valeur par défaut lorsque aucun nom de domaine n’est donné (accès par adresse IP, par exemple)"},{"id":"text-154","heading":"Text","content":"<VirtualHost *: 80>\n   ServerAdmin utilisateur1@votre-domaine.com\n \n \n \n DocumentRoot / var / www / html\n   ErrorLog logs / error_log\n   TransferLog logs / access_log"},{"id":"text-155","heading":"Text","content":"# Ajoutez une définition VirtualHost pour votre domaine qui était autrefois la valeur par défaut du système."},{"id":"text-156","heading":"Text","content":"<VirtualHost XXX.XXX.XXX.XXX>Nom du serveur www.votre-domaine.com\n \n \n \n ServerAlias votre-domaine.com\n \n \n \n ServerAdmin utilisateur1@votre-domaine.com\n \n \n \n DocumentRoot / var / www / html\n   ErrorLog logs / error_log\n   TransferLog logs / access_log"},{"id":"text-157","heading":"Text","content":"...\n   .."},{"id":"text-158","heading":"Text","content":"Transfert vers une URL primaire. Il est préférable d'éviter l'apparition de contenu Web dupliqué à partir de deux URL telles que http: // www.ton domaine.com et\n http: //ton domaine.com. Fournissez une "redirection" Apache de redirection."},{"id":"text-159","heading":"Text","content":"<VirtualHost XXX.XXX.XXX.XXX>\n   Nom du serveur www.votre-domaine.com - Notez qu'aucun alias n'est répertorié\n \n \n \n ...\n   ..."},{"id":"text-160","heading":"Text","content":"# Ajouter une définition VirtualHost à transférer à votre URL principale"},{"id":"text-161","heading":"Text","content":"<VirtualHost XXX.XXX.XXX.XXX>\n   Nom du serveur votre-domaine.com\n \n \n \n ServerAlias autre-domaine.com\n \n \n \n ServerAlias ​​www.autre-domaine.com\n \n \n \n Rediriger permanent / http: // www.votre-domaine.com.com /"},{"id":"text-162","heading":"Text","content":"...\n   ..\n \nRemarque:"},{"id":"text-163","heading":"Text","content":"Plus d'exemples d'hôte virtuel."},{"id":"text-164","heading":"Text","content":"Lorsqu’ils spécifient plus de domaines, ils peuvent tous utiliser la même adresse IP ou certains / tous\npeuvent utiliser leur propre adresse IP unique.\nSpécifiez un "NameVirtualHost" pour chaque adresse IP."},{"id":"text-165","heading":"Text","content":"Une fois les fichiers de configuration Apache modifiés, redémarrez le démon httpd:\n /etc/rc.d/init.d/httpd restart (Chapeau rouge) ou /etc/init.d/apache2 restart (Ubuntu / Debian)"},{"id":"text-166","heading":"Text","content":"Configuration du domaine virtuel Apache avec Ubuntu:\nUbuntu sépare chaque domaine virtuel dans un fichier de configuration séparé\ntenue dans l'annuaire / etc / apache2 / sites-available /.\nLorsque le domaine du site doit devenir actif, un lien symbolique est créé vers le répertoire. / etc / apache2 / sites-enabled /.\nExemple: / etc / apache2 / sites-available / supercorp"},{"id":"text-167","heading":"Text","content":"NomServeur supercorp.com\n        ServerAlias ​​www.supercorp.com\n        Webmaster ServerAdmin @ localhost"},{"id":"text-168","heading":"Text","content":"        DocumentRoot / home / supercorp / public_html / home\n \n Options FollowSymLinks\n                AllowOverride None\n \n \n \n \n \n Options Index FollowSymLinks MultiViews\n                IndexOptions SuppressLastModified SuppressDescription\n                AllowOverride All\n                Ordre permettre, refuser\n                permettre à tous\n                Exiger tout accordé - Ceci est requis pour Apache 2.4+"},{"id":"text-169","heading":"Text","content":"ScriptAlias ​​/ cgi-bin / / home / supercorp / cgi-bin /\n \n AllowOverride None\n                Options + ExecCGI -MultiViews + SymLinksIfOwnerMatch\n                Ordre permettre, refuser\n                Autoriser de tous"},{"id":"text-170","heading":"Text","content":"ErrorLog /var/log/apache2/supercorp.com-error.log"},{"id":"text-171","heading":"Text","content":"        # Les valeurs possibles incluent: debug, info, notice, avertir, erreur,\n        # crit, alerte, émergent.\n        LogLevel avertir\n        CustomLog /var/log/apache2/supercorp.com-access.log combinés\n        ServerSignature On"},{"id":"text-172","heading":"Text","content":"Activer le domaine:"},{"id":"text-173","heading":"Text","content":"Créer un lien symbolique:"},{"id":"text-174","heading":"Text","content":"Manuellement: ln -s / etc / apache2 / sites-disponibles / supercorp / etc / apache2 / sites-enabled / supercorp\n \nUtiliser les scripts Ubuntu a2ensite/a2dissite. Tapez commande et il vous demandera quel site vous souhaitez activer ou désactiver."},{"id":"text-175","heading":"Text","content":"Redémarrez Apache:"},{"id":"text-176","heading":"Text","content":"apachectl gracieux\n ou\n \n/etc/init.d/apache2 restart\n ou\n \n/etc/init.d/apache2 reload"},{"id":"text-177","heading":"Text","content":"Notez également que les modules Apache peuvent également être activés / désactivés avec des scripts a2enmod / a2dismod."},{"id":"text-178","heading":"Text","content":"Pages de manuel:"},{"id":"text-179","heading":"Text","content":"Configuration d'un hôte virtuel "basé sur IP":\nOn peut attribuer plusieurs adresses IP à une seule interface réseau.\nVoir le tutoriel de mise en réseau YoLinux: Aliasing de réseau.\nChaque adresse IP peut alors être son propre serveur virtuel et son propre domaine.\nL’inconvénient de la méthode d’hôte virtuel "basée sur IP" est que vous devez posséder\nadresses IP multiples / supplémentaires. Cela coûte généralement plus cher.\nLa méthode d'hébergement virtuel basée sur le nom standard ci-dessus est plus populaire pour cette raison."},{"id":"text-180","heading":"Text","content":"NameVirtualHost * - Indique toutes les adresses IP"},{"id":"text-181","heading":"Text","content":"<VirtualHost *>\n   ServerAdmin utilisateur0@default-domain.com\n \n \n \n DocumentRoot / home /utilisateur0/ public_html"},{"id":"text-182","heading":"Text","content":"<VirtualHost XXX.XXX.XXX.101>\n   ServerAdmin utilisateur1@domain-1.com\n \n \n \n DocumentRoot / home /utilisateur1/ public_html"},{"id":"text-183","heading":"Text","content":"<VirtualHost XXX.XXX.XXX.102>\n   ServerAdmin utilisateur1@domain-2.com\n \n \n \n DocumentRoot / home /utilisateur2/ public_html"},{"id":"text-184","heading":"Text","content":"Le défaut bloc sera utilisé par défaut\npour toutes les adresses IP non spécifiées explicitement.\nCette adresse IP par défaut (*) peut ne pas fonctionner pour https URL.\nCGI: (interface de passerelle commune)\nCGI est un programme exécutable qui génère dynamiquement une page Web en écrivant\nà stdout. CGI est autorisé par l'une des deux directives de fichier de configuration suivantes:\nLes fichiers de programme exécutables doivent avoir les privilèges d’exécution, exécutables par le\npropriétaire du processus (Red Hat 7 + / Fedora Core: apache.\nUtilisation plus ancienne personne) sous lequel le démon httpd est exécuté.\nConfiguration de CGI pour une exécution avec des privilèges utilisateur:\nLa fonctionnalité suEXEC offre aux utilisateurs Apache la possibilité d’exécuter CGI et SSI.\nprogrammes sous des identifiants d'utilisateur différents de ceux de l'appelant\nserveur Web. Normalement, lorsqu'un programme CGI ou SSI s'exécute, il s'exécute en tant que\nle même utilisateur qui exécute le serveur Web."},{"id":"text-185","heading":"Text","content":"NameVirtualHost XXX.XXX.XXX.XXX"},{"id":"text-186","heading":"Text","content":"<VirtualHost XXX.XXX.XXX.XXX>\n   Nom du serveur noeud1.votre-domaine.com - Permet les demandes par nom de domaine sans le préfixe "www".\n ServerAlias votre-domaine.com www.votre-domaine.com - CNAME (alias www) spécifié dans le fichier de configuration Bind (/ var / named / ...)\n ServerAdmin utilisateur1@votre-domaine.com\n \n \n \n DocumentRoot / home /utilisateur1/ public_html /votre-domaine.com\n \n \n \n Logs ErrorLog /votre-domaine.com-error_log\n   Journaux TransferLog /votre-domaine.com-access_log"},{"id":"text-187","heading":"Text","content":"   SuexecUserGroup utilisateur1 utilisateur1\n \n \n \n <Répertoire / home /utilisateur1/ public_html /votre-domaine.com/>\n      Options + ExecCGI + Index\n      AddHandler cgi-script .cgi"},{"id":"text-188","heading":"Text","content":"Pages d'erreur:\nVous pouvez spécifier vos propres pages Web au lieu des pages d'erreur Apache par défaut:"},{"id":"text-189","heading":"Text","content":"ErrorDocument 404 /Error404-missing.html\nCréer le fichier Error404-missing.html dans votre répertoire "DocumentRoot"."},{"id":"text-190","heading":"Text","content":"Traitez toutes les erreurs avec une page de transfert:"},{"id":"text-191","heading":"Text","content":"ErrorDocument 400 /error.shtml\nErrorDocument 401 /error.shtml\nErrorDocument 403 /error.shtml\nErrorDocument 404 /error.shtml\nErrorDocument 500 /error.shtml"},{"id":"text-192","heading":"Text","content":"Exemple de fichier error.shtml (dans votre répertoire "DocumentRoot")."},{"id":"text-193","heading":"Text","content":"Page non trouvée!"},{"id":"text-194","heading":"Text","content":"PHP:\nSi les RPM appropriés php, perl et httpd sont installés,\nla configuration et les modules Red Hat Apache par défaut prend en charge PHP\ncontenu.\nPaquets RPM (RHEL):"},{"id":"text-195","heading":"Text","content":"php: langage de script HTML"},{"id":"text-196","heading":"Text","content":"php-pear: PEAR est un framework et un système de distribution de composants PHP réutilisables."},{"id":"text-197","heading":"Text","content":"php-mysql: support de la base de données MySQL."},{"id":"text-198","heading":"Text","content":"php-ldap: support du protocole LDAP (Lightweight Directory Access Protocol)"},{"id":"text-199","heading":"Text","content":"Configuration Apache:"},{"id":"text-200","heading":"Text","content":"Ajoutez php default page index.php au fichier de configuration apache: /etc/httpd/conf/httpd.conf"},{"id":"text-201","heading":"Text","content":"..."},{"id":"text-202","heading":"Text","content":"DirectoryIndex index.html index.htm index.php"},{"id":"text-203","heading":"Text","content":"..."},{"id":"text-204","heading":"Text","content":"Fichier de configuration PHP:"},{"id":"text-205","heading":"Text","content":"AWS – PHP 5.6: /etc/php-5.6.d/php.ini\nRHEL4 – PHP 4.3: /etc/php.ini\nUbuntu 18.04: /etc/php/7.2/apache2/php.ini\nUbuntu 6.06 / 6.11: /etc/php5/apache2/php.ini"},{"id":"text-206","heading":"Text","content":"[PHP]"},{"id":"text-207","heading":"Text","content":"moteur = allumé\n...\n...\ndisplay_errors = Off\ninclude_path = ".: / php / includes"\n...\n...\nmemory_limit = 32M; La valeur par défaut est généralement de 8 Mo, ce qui est trop faible.\n...\n..."},{"id":"text-208","heading":"Text","content":"[MySQL]\n...\n...\nmysql.default_host = super-serveur ; Nom d'hôte de l'ordinateur\nmysql.default_user = Dbuser"},{"id":"text-209","heading":"Text","content":"..."},{"id":"text-210","heading":"Text","content":"Petite partie du fichier montré."},{"id":"text-211","heading":"Text","content":"Notez que les modifications ne prendront effet qu'après le redémarrage du démon de serveur Web Apache."},{"id":"text-212","heading":"Text","content":"Testez vos capacités PHP avec ce fichier de test: /maison/utilisateur1/public_html/test.php"},{"id":"text-213","heading":"Text","content":"<? phpphpinfo ();?>\nOU (ancien format)"},{"id":"text-214","heading":"Text","content":"Tester: http: // localhost / ~utilisateur1/test.php\nPour plus d'informations, consultez la liste des sites Web d'informations PHP de YoLinux."},{"id":"text-215","heading":"Text","content":"Exécuter plusieurs instances de httpd:\nLe démon du serveur Web Apache (httpd) peut être démarré avec la commande\noption de ligne "-f" pour spécifier un fichier de configuration unique pour chaque instance.\nConfigurez une adresse IP unique pour chaque instance d'Apache.\nReportez-vous au didacticiel de mise en réseau YoLinux pour spécifier plusieurs adresses IP pour une même carte réseau.\nUtilisez la directive du fichier de configuration Apache Écoute XXX.XXX.XXX.XXX, où l'adresse IP est unique pour chaque instance d'Apache."},{"id":"text-216","heading":"Text","content":"Apache Man Pages:"},{"id":"text-217","heading":"Text","content":"httpd – Apache Hypertext Transfer Protocol Server"},{"id":"text-218","heading":"Text","content":"apachectl – Interface de contrôle du serveur HTTP Apache"},{"id":"text-219","heading":"Text","content":"ab – Outil d'analyse comparative de serveur HTTP Apache"},{"id":"text-220","heading":"Text","content":"htdigest – gère les fichiers utilisateur pour l'authentification Digest"},{"id":"text-221","heading":"Text","content":"htpasswd – Gère les fichiers utilisateur pour l'authentification de base"},{"id":"text-222","heading":"Text","content":"logresolve – Résoudre les adresses IP en noms d'hôte dans les fichiers journaux Apache"},{"id":"text-223","heading":"Text","content":"rotatelogs – Programme de journalisation en pipeline pour faire pivoter les journaux Apache"},{"id":"text-224","heading":"Text","content":"Consultez également le manuel de configuration Apache en ligne local: http: // localhost / manual /."},{"id":"text-225","heading":"Text","content":"Configuration de l'interface graphique Apache Red Hat / Fedora Core:\nOutil de configuration de l'interface graphique:"},{"id":"text-226","heading":"Text","content":"Red Hat EL 4/5, Fedora 2-10: / usr / bin / system-config-httpd"},{"id":"text-227","heading":"Text","content":"Red Hat 8/9, Fedora Core 1: / usr / bin / redhat-config-httpd"},{"id":"text-228","heading":"Text","content":"Ajout de la connexion au site Web et de la protection par mot de passe: Consultez le didacticiel YoLinux sur la protection par mot de passe du site Web."},{"id":"text-229","heading":"Text","content":"Analyse du fichier journal:"},{"id":"text-230","heading":"Text","content":"L'analyse des fichiers de journal Web Apache ne fournira pas de statistiques significatives\nà moins qu’ils soient représentés graphiquement ou présentés de manière facile à lire. Le suivant\npaquets à un bon travail de présentation des statistiques du site."},{"id":"text-231","heading":"Text","content":"Services de statistiques de site Web:"},{"id":"text-232","heading":"Text","content":"Charger en charge votre serveur:"},{"id":"text-233","heading":"Text","content":"Liens Apache:"},{"id":"text-234","heading":"Text","content":"CgiWrap – Le wrapper setuid qui permet aux utilisateurs d'installer et d'exécuter leurs propres scripts cgi exécutés sous leur propre ID utilisateur"},{"id":"text-235","heading":"Text","content":"WWWThreads.org – Produit commercial – Logiciel avancé de téléconférence Web"},{"id":"text-236","heading":"Text","content":"Configuration de https (mod_ssl):"},{"id":"text-237","heading":"Text","content":"Analyse du fichier journal avec Analog:"},{"id":"text-238","heading":"Text","content":"Installation:"},{"id":"text-239","heading":"Text","content":"Red Hat / Fedora: miam installer analogique\nUbuntu / Debian: apt-get install analog"},{"id":"text-240","heading":"Text","content":"Les packages d'installation sont également disponibles sur la page de téléchargements analogiques.\nFichier de configuration: /etc/analog.cfg"},{"id":"text-241","heading":"Text","content":"LOGFILE / var / log / httpd /votre-domaine.com-access_log * http: // www.votre-domaine.com\nUNCOMPRESS * .gz, *. Z "gzip -cd"\nSUBTYPE * .gz, *. Z\n#\nOUTFILE / home /utilisateur1/public_html/analog/Report.html\n#\nNOM D'HOTE "VotreDomaine.com"\nHOSTURL http: // www.votre-domaine.com"},{"id":"text-242","heading":"Text","content":"....\n...\n.."},{"id":"text-243","heading":"Text","content":"Pages REQINCLUDE # Demander les statistiques de la page uniquement"},{"id":"text-244","heading":"Text","content":"TOUT SUR\nLANGUE US-ANGLAIS"},{"id":"text-245","heading":"Text","content":"Vous pouvez afficher les paramètres utilisés avec votre fichier de configuration (également utiles pour le débogage): réglages analogiques\nRendre les images analogiques disponibles pour le rapport des utilisateurs: ln -s / usr / share / analogique / images / * / home /utilisateur1/ public_html / analogique"},{"id":"text-246","heading":"Text","content":"Emplacement du fichier journal:"},{"id":"text-247","heading":"Text","content":"Red Hat / Fedora: / var / log / httpd /\nUbuntu / Debian: / var / log / apache2 /"},{"id":"text-248","heading":"Text","content":"La directive "TOUT SUR"active tous les éléments suivants:"},{"id":"text-249","heading":"Text","content":"Directive analogique\nLa description"},{"id":"text-250","heading":"Text","content":"Tous les mois \n une ligne par mois"},{"id":"text-251","heading":"Text","content":"HEBDOMADAIRE SUR \n une ligne par semaine"},{"id":"text-252","heading":"Text","content":"DAILYREP ON \n une ligne par jour"},{"id":"text-253","heading":"Text","content":"DAILYSUM ON \n une ligne pour chaque jour de la semaine"},{"id":"text-254","heading":"Text","content":"HOURLYREP ON \n une ligne pour chaque heure de la journée"},{"id":"text-255","heading":"Text","content":"GENERAL ON \n le résumé général en haut"},{"id":"text-256","heading":"Text","content":"DEMANDE SUR \n quels fichiers ont été demandés"},{"id":"text-257","heading":"Text","content":"ÉCHEC SUR \n quels fichiers n'ont pas été trouvés"},{"id":"text-258","heading":"Text","content":"ANNUAIRE SUR \n Rapport d'annuaire"},{"id":"text-259","heading":"Text","content":"HÔTE SUR \n quels ordinateurs ont demandé des fichiers"},{"id":"text-260","heading":"Text","content":"ORGANISATION SUR \n de quelles organisations ils venaient"},{"id":"text-261","heading":"Text","content":"DOMAINE SUR \n dans quels pays ils étaient"},{"id":"text-262","heading":"Text","content":"REFERER SUR \n où les gens ont suivi les liens de"},{"id":"text-263","heading":"Text","content":"FAILREF ON \n où les gens ont suivi des liens brisés de"},{"id":"text-264","heading":"Text","content":"RECHERCHE SUR \n les phrases et les mots qu'ils ont utilisés …"},{"id":"text-265","heading":"Text","content":"MOT DE RECHERCHE SUR \n … pour vous trouver parmi les moteurs de recherche"},{"id":"text-266","heading":"Text","content":"NAVIGATEUR SUR \n quels types de navigateurs les gens utilisaient"},{"id":"text-267","heading":"Text","content":"OSREP ON \n et quels systèmes d'exploitation"},{"id":"text-268","heading":"Text","content":"FILETYPE ON \n types de fichiers demandés"},{"id":"text-269","heading":"Text","content":"TAILLE SUR \n taille des fichiers demandés"},{"id":"text-270","heading":"Text","content":"ÉTAT SUR \n nombre de chaque type de succès et d'échec"},{"id":"text-271","heading":"Text","content":"Cron job pour gérer plusieurs domaines: /etc/cron.daily/analog"},{"id":"text-272","heading":"Text","content":"#! / bin / sh\ncp /opt/etc/analog-domain1.com.cfg /etc/analog.cfg\n/ usr / bin / analogique\ncp /opt/etc/analog-domain2.com.cfg /etc/analog.cfg\n/ usr / bin / analogique"},{"id":"text-273","heading":"Text","content":"..."},{"id":"text-274","heading":"Text","content":"Liens:"},{"id":"text-275","heading":"Text","content":"Mesure des performances du serveur Web:"},{"id":"text-276","heading":"Text","content":"Voir le didacticiel de référence du serveur Web YoLinux.com."},{"id":"text-277","heading":"Text","content":"Configuration du compte utilisateur FTPd et FTP:"},{"id":"text-278","heading":"Text","content":"De nombreux programmes FTP existent. Cet exemple couvre le populaire\n      vsftpd (Red Hat default 9.0, Fedora Core, Suse) et\n      wu-ftpd (Washington\nUniversity) qui est livré en standard avec RedHat (le dernier livré avec\nRedHat 8.0 mais peut être installé sur n’importe quel système Linux).\n(RPM: wu-ftpd)\nIl existe d'autres programmes FTP, y compris proFtpd\n(prend en charge l’authentification LDAP, les directives de type Apache, les fonctionnalités complètes\nlogiciel serveur ftp),\n      bftpd, pure-ftpd (BSD libre et en option sur Suse), etc …"},{"id":"text-279","heading":"Text","content":"Pour les environnements hostiles, configurez un environnement chrooté pour sftp connexion cryptée et la rssh shell restreint pour OpenSSH.\nVoir le tutoriel sur la sécurité Internet de YoLinux.com pour Linux sftp et rssh configuration"},{"id":"text-280","heading":"Text","content":"Voir aussi la configuration sftp chrootée préférée pour OpenSSH 4.9+"},{"id":"text-281","heading":"Text","content":"FTPd et SELinux: pour autoriser l'accès au démon FTPd et l'accès FTP aux répertoires de base des utilisateurs:"},{"id":"text-282","heading":"Text","content":"Suivre avec la commande service vsftpd redémarrer\nTutoriels de configuration FTPd:"},{"id":"text-283","heading":"Text","content":"Configuration du compte utilisateur vsFTPd et FTP:"},{"id":"text-284","heading":"Text","content":"Le serveur ftp vsFTPd a été mis à disposition pour la première fois dans Red Hat 9.0. Il a également été adopté par Suse et OpenBSD.\nC'est actuellement le démon FTP recommandé pour une utilisation sur des serveurs FTP."},{"id":"text-285","heading":"Text","content":"Activer vsftpd:"},{"id":"text-286","heading":"Text","content":"Red Hat / Fedora Core / CentOS:\nVsFTPd est un service autonome et par l’installation par défaut de Fedora Core,\nnon contrôlé par xinetd comme l’installation par défaut de wu-ftpd.\n Commencez donc le service: service vsftpd start (ou: /etc/init.d/vsftpd start)\n Configurez vsftpd pour qu'il démarre au démarrage du système: chkconfig --add vsftpd"},{"id":"text-287","heading":"Text","content":"SuSE: Par défaut, vsftpd est un service contrôlé par xinetd. Autoriser\nServices de serveur FTP éditer le fichier /etc/xinetd.d/vsftpd et changer:\n désactiver = oui\n à:\n désactiver = non\n Redémarrez le démon xinetd: /etc/init.d/xinetd restart\n Remarque: vsftpd peut également être exécuté en tant que service autonome pour obtenir un résultat plus rapide.\nTemps de réponse."},{"id":"text-288","heading":"Text","content":"Ubuntu (dapper / hardy / natty) / Debian:"},{"id":"text-289","heading":"Text","content":"Installer: apt-get install vsftpd\n \nVsFTPd est un service autonome."},{"id":"text-290","heading":"Text","content":"Début: /etc/init.d/vsftpd start\n \nArrêtez: /etc/init.d/vsftpd stop\n \nRedémarrer: /etc/init.d/vsftpd restart\n (Utilisez cette commande après avoir modifié le fichier de configuration)"},{"id":"text-291","heading":"Text","content":"Pour plus d’informations sur le démarrage / l’arrêt / la configuration des services Linux, voir la\n      Tutoriel YoLinux sur le processus d'initialisation Linux et l'activation du service."},{"id":"text-292","heading":"Text","content":"Fichiers de configuration:"},{"id":"text-293","heading":"Text","content":"Fichier de configuration vsFTPd:"},{"id":"text-294","heading":"Text","content":"Fedora Core / Red Hat: /etc/vsftpd/vsftpd.conf\n \nS.u.S.e. / Ubuntu (dapper / hardy / natty) / Debian: /etc/vsftpd.conf"},{"id":"text-295","heading":"Text","content":"Par défaut pour Fedora Core 3:"},{"id":"text-296","heading":"Text","content":"anonymous_enable = OUI - FTP anonyme autorisé par défaut si vous commentez ceci.\n                                  Répertoire par défaut utilisé: / var / ftp"},{"id":"text-297","heading":"Text","content":"local_enable = YES - Un-comment this to allow local users to log in with FTP.\n Must also set SELinux boolean: setsebool -P ftp_home_dir 1"},{"id":"text-298","heading":"Text","content":"write_enable=YES - Un-comment this to enable any form of FTP write or upload command."},{"id":"text-299","heading":"Text","content":"local_umask=022 - Default is 077. Umask 022 is used by most other ftpd's."},{"id":"text-300","heading":"Text","content":"#anon_upload_enable=YES - Un-comment to allow the anonymous FTP user to upload files. \n                                  Requires the above global write enabled. Directory must also be writable by user."},{"id":"text-301","heading":"Text","content":"#anon_mkdir_write_enable=YES - Un-comment this to allow the anonymous FTP user to be able to create new directories."},{"id":"text-302","heading":"Text","content":"dirmessage_enable=YES - Activate directory messages. \n                                  Messages given to remote users when they enter certain directories"},{"id":"text-303","heading":"Text","content":"xferlog_enable=YES - Activate logging of uploads/downloads."},{"id":"text-304","heading":"Text","content":"connect_from_port_20=YES - PORT transfer connections originate from port 20 (ftp-data)"},{"id":"text-305","heading":"Text","content":"#chown_uploads=YES - Uploaded anonymous files set to a specified owner. (not root)"},{"id":"text-306","heading":"Text","content":"#chown_username=quiconque"},{"id":"text-307","heading":"Text","content":"#xferlog_file=/var/log/vsftpd.log - Specify logfile explicitly. Default is /var/log/vsftpd.log"},{"id":"text-308","heading":"Text","content":"xferlog_std_format=YES - Output to log file in standard ftpd xferlog format"},{"id":"text-309","heading":"Text","content":"#idle_session_timeout=600 - Set timing out for an idle session."},{"id":"text-310","heading":"Text","content":"#data_connection_timeout=120 - Set timing out for an idle data connection. Port 20"},{"id":"text-311","heading":"Text","content":"#nopriv_user=ftpsecure - Run ftp server as an isolated and unprivileged user."},{"id":"text-312","heading":"Text","content":"# Enable this and the server will recognize asynchronous ABOR requests. ne pas\n# recommended for security (the code is non-trivial). Not enabling it, may confuse older FTP clients.\n#async_abor_enable=YES"},{"id":"text-313","heading":"Text","content":"#ascii_upload_enable=YES - Improve performance by disabling ASCII mode. \n                                  Disables command "ascii" and "SIZE /big/file"."},{"id":"text-314","heading":"Text","content":"#ascii_download_enable=YES"},{"id":"text-315","heading":"Text","content":"#ftpd_banner=Welcome to YoLinux - Customize the login banner string."},{"id":"text-316","heading":"Text","content":"#deny_email_enable=YES - Disallow specified anonymous e-mail addresses. Used to combat certain DDoS attacks."},{"id":"text-317","heading":"Text","content":"#banned_email_file=/etc/vsftpd.banned_emails (Ubuntu default. Red Hat: /etc/vsftpd/banned_emails)"},{"id":"text-318","heading":"Text","content":"#chroot_list_enable=YES - List users chroot()'d to their home directory. If "NO", list users not chroot()'d."},{"id":"text-319","heading":"Text","content":"#chroot_list_file=/etc/vsftpd.chroot_list (Ubuntu default. Red Hat: /etc/vsftpd/chroot_list)"},{"id":"text-320","heading":"Text","content":"ls_recurse_enable=YES - Allow "ls -R" recursive directory list. Default is disabled."},{"id":"text-321","heading":"Text","content":"pam_service_name=vsftpd"},{"id":"text-322","heading":"Text","content":"userlist_enable=YES - (Ubuntu Default) Deny users specified in file /etc/vsftpd.user_list\n If "userlist_enable=NO" then allow specified users.\n Red Hat: /etc/vsftpd/user_list\n#deny_email_enable=YES - Disallow specified anonymous e-mail addresses. Used to combat certain DDoS attacks."},{"id":"text-323","heading":"Text","content":"listen=YES - Enable for standalone mode as opposed to an xinetd service.\n Must set SELinux boolean: setsebool -P ftpd_is_daemon 1"},{"id":"text-324","heading":"Text","content":"tcp_wrappers=YES\n \nRestart the FTP service if the config file is changed: service vsftpd restart (or: /etc/init.d/vsftpd restart)"},{"id":"text-325","heading":"Text","content":"[Potential Pitfall]: vsftp does NOT support comments on the same line as a directive. i.e.:"},{"id":"text-326","heading":"Text","content":"directive=XXX # comment\n \n vsftp.conf man page"},{"id":"text-327","heading":"Text","content":"Specify list of local users chrooted to their home directories:"},{"id":"text-328","heading":"Text","content":"Red Hat: /etc/vsftpd/vsftpd/chroot_list\nUbuntu: /etc/vsftpd/vsftpd.chroot_list"},{"id":"text-329","heading":"Text","content":"(Requires: chroot_list_enable=NO)"},{"id":"text-330","heading":"Text","content":"user1user2...user-n\n \nSi userlist_enable=YES, then specify users not to be chroot'd.."},{"id":"text-331","heading":"Text","content":"Specify list of users:"},{"id":"text-332","heading":"Text","content":"Red Hat: /etc/vsftpd/user_list\nUbuntu: /etc/vsftpd.user_list"},{"id":"text-333","heading":"Text","content":"(Deny list of users requires: userlist_enable=YES)\n Also see PAM configuration below.\nracinepoubelledémonadmlpsynchroniserfermerarrêt...\nSi userlist_enable=NO, then specify valid users."},{"id":"text-334","heading":"Text","content":"PAM configuration file Fedora Core 3: /etc/pam.d/vsftpd"},{"id":"text-335","heading":"Text","content":"#%PAM-1.0\nauth required pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed\nauth required pam_stack.so service=system-auth\nauth required pam_shells.so\naccount required pam_stack.so service=system-auth\nsession required pam_stack.so service=system-auth\n \nThis causes PAM to check /etc/vsftpd.ftpusers for users who are denied.\nThis duplicates /etc/vsftpd.user_list. Speciy user in both files as PAM is independent of vsftpd configuration.\n    \n    PAM authentication configuration file: ftpusers"},{"id":"text-336","heading":"Text","content":"Red Hat: /etc/vsftpd/ftpusers\nUbuntu: /etc/vsftpd.ftpusers"},{"id":"text-337","heading":"Text","content":"racine\npoubelle\ndémon\nadm\nlp\nsynchroniser\nfermer\narrêt\n...\n...\n...\nuser6 - Users to deny\nuser8"},{"id":"text-338","heading":"Text","content":"...\n..."},{"id":"text-339","heading":"Text","content":"Logrotate configuration file: /etc/logrotate.d/vsftpd.log"},{"id":"text-340","heading":"Text","content":"/var/log/xferlog \n    # ftpd doesn't handle SIGHUP properly\n    nocompress\n    missingok"},{"id":"text-341","heading":"Text","content":"Sample vsFTPd configurations:"},{"id":"text-342","heading":"Text","content":"Anonymous download FTP server configuration: /etc/vsftpd/vsftpd.conf"},{"id":"text-343","heading":"Text","content":"# Access rights\nanonymous_enable=YES - Turn on anonymous FTP"},{"id":"text-344","heading":"Text","content":"chown_uploads=YES - Uploaded files owned by an assigned user"},{"id":"text-345","heading":"Text","content":"chown_username=ftp - Uploaded files owned by this assigned user"},{"id":"text-346","heading":"Text","content":"local_enable=NO\nwrite_enable=NO - No upload of files system changes allowed"},{"id":"text-347","heading":"Text","content":"anon_upload_enable=NO\nanon_mkdir_write_enable=NO\nanon_other_write_enable=NO\n# Security\nanon_world_readable_only=YES\nconnect_from_port_20=YES\nforce_dot_files=NO\nguest_enable=NO\nhide_ids=YES\npasv_min_port=50000\npasv_max_port=60000\n# Features\nxferlog_enable=YES\nls_recurse_enable=NO\nascii_download_enable=NO\nasync_abor_enable=YES\n# Performance\none_process_model=NO\nidle_session_timeout=120\ndata_connection_timeout=300\naccept_timeout=60\nconnect_timeout=60\nmax_per_ip=4\nanon_max_rate=50000"},{"id":"text-348","heading":"Text","content":"pam_service_name=vsftpd\nuserlist_enable=YES\n#enable for standalone mode\nlisten=YES\ntcp_wrappers=YES"},{"id":"text-349","heading":"Text","content":"Anonymous logins use the login name "anonymous" and then the user supplies their\nemail address as a password. Any password will be accepted.\nUsed to allow the public to download files from an ftp server.\nGenerally, no upload is permitted."},{"id":"text-350","heading":"Text","content":"Web hosting configuration: /etc/vsftpd/vsftpd.conf"},{"id":"text-351","heading":"Text","content":"# Access rights\nanonymous_enable=NO\nlocal_enable=YES - Allow users to ftp to their home directories"},{"id":"text-352","heading":"Text","content":"write_enable=YES - Allow users to STOR, DELE, RNFR, RNTO, MKD, RMD, APPE and SITE"},{"id":"text-353","heading":"Text","content":"local_umask=022\n# Security\nconnect_from_port_20=YES\nforce_dot_files=NO\nguest_enable=NO - Don't remap user name"},{"id":"text-354","heading":"Text","content":"ftpd_banner=Welcome to Super Duper Hosting - Customize the login banner string."},{"id":"text-355","heading":"Text","content":"chroot_local_user=YES - Limit user to browse their own directory only"},{"id":"text-356","heading":"Text","content":"chroot_list_enable=YES - Enable list of system / power users"},{"id":"text-357","heading":"Text","content":"chroot_list_file=/etc/vsftpd.chroot_list - Actual list of system / power users"},{"id":"text-358","heading":"Text","content":"hide_ids=YES\npasv_min_port=50000\npasv_max_port=60000\n# Features\nxferlog_enable=YES\nls_recurse_enable=NO\nascii_download_enable=NO\nasync_abor_enable=YES\ndirmessage_enable=YES - Message greeting held in file .message or specify with message_file=..."},{"id":"text-359","heading":"Text","content":"# Performance\none_process_model=NO\nidle_session_timeout=120\ndata_connection_timeout=300\naccept_timeout=60\nconnect_timeout=60\nmax_per_ip=4\n#\npam_service_name=vsftpd\nuserlist_enable=YES\n#enable for standalone mode\nlisten=YES\ntcp_wrappers=YES"},{"id":"text-360","heading":"Text","content":"Specify list of local users chrooted to their home directories: /etc/vsftpd/vsftpd.chroot_list\n Ubuntu typically: /etc/vsftpd.chroot_list\n (Requires: chroot_list_enable=NO)"},{"id":"text-361","heading":"Text","content":"user1user2...user-n"},{"id":"text-362","heading":"Text","content":"Si userlist_enable=YES, then specify users not to be chroot'd.."},{"id":"text-363","heading":"Text","content":"[Potential Pitfall]:\nMisspelling a directive will cause vsftpd to fail with little warning."},{"id":"text-364","heading":"Text","content":"Fichier: .message"},{"id":"text-365","heading":"Text","content":"A NOTE TO USERS UPLOADING FILES:\n   File names may consist of letters (a-z, A-Z), numbers (0-9),\n   an under score ("_"), dash ("-") or period (".") only.\n   The file name may not begin with a period or dash."},{"id":"text-366","heading":"Text","content":"Test if vsftp is listening: netstat -a | grep ftp"},{"id":"text-367","heading":"Text","content":"[root]# netstat -a | grep ftptcp 0 0 *:ftp *:* LISTEN\nLinks:\nWU-FTPd and FTP user account configuration:"},{"id":"text-368","heading":"Text","content":"The wu-ftpd FTP server can be downloaded (binary or source) from\nhttp://wu-ftpd.therockgarden.ca/ (at one time: http://wu-ftpd.org)."},{"id":"text-369","heading":"Text","content":"There are three kinds of FTP logins that wu-ftpd provides:"},{"id":"text-370","heading":"Text","content":"anonymous FTP – one logs in with the username 'anonymous'"},{"id":"text-371","heading":"Text","content":"real FTP – log in with a real username and password and\nhas access to the entire disk structure."},{"id":"text-372","heading":"Text","content":"guest FTP – one logs in with a real user name and\npassword, but the user is chroot'ed to his home directory and cannot\nescape from it.\nThey are constrained to their home directory which also means that they don't\nhave access to /bin/ls and other commands on the server.\nThus a local minimalist environment must be set up."},{"id":"text-373","heading":"Text","content":"This tutorial covers "guest" FTP configuration."},{"id":"text-374","heading":"Text","content":"The file /etc/ftpaccess controls the configuration of ftp."},{"id":"text-375","heading":"Text","content":"# Don't allow system accounts to log in over ftp\n   deny-uid %-99 %65534-\n   deny-gid %-99 %65534-"},{"id":"text-376","heading":"Text","content":"   class all real,guest *\n   email webmaster@your-domain.com\n \n \n \n loginfails 5"},{"id":"text-377","heading":"Text","content":"   readme README* login\n   readme README* cwd=*\n   message /welcome.msg login\n   message .message cwd=*"},{"id":"text-378","heading":"Text","content":"   compress yes all\n   tar yes all\n   chmod no guest,anonymous\n   delete no anonymous # delete files permission?\n   overwrite no anonymous # overwrite files permission?\n   rename no anonymous # rename files permission?\n   delete yes guest # delete files permission?\n   overwrite yes guest # overwrite files permission?\n   rename yes guest # rename files permission?\n   umask no guest # umask permission?"},{"id":"text-379","heading":"Text","content":"   log transfers anonymous,real inbound,outbound"},{"id":"text-380","heading":"Text","content":"   shutdown /etc/shutmsg"},{"id":"text-381","heading":"Text","content":"   passwd-check rfc822 warn"},{"id":"text-382","heading":"Text","content":"   # Must also create message file /etc/pathmsg of the guest directory.\n   # In this case it refers to /home/user1/public_html/etc/pathmsg.\n   path-filter guest /etc/pathmsg ^[-A-Za-z0-9_.]*$ ^. ^-\n   limit all 2\n   noretrieve passwd .htaccess core - Do not allow users to download files of these names\n \n \n \n limit-time * 20\n   byte-limit in 5000 - Limit file size\n \n \n \n guestuser * - System user default categorized as a "guest". A "real" user can roam the system. Guestuser is chrooted.\n \n \n \n realgroup regularuserx regularusery - Assign real user privileges to members of groups "regularuserx" and "regularusery". \n                                    Visibility of the whole file system and subject to regular UNIX file permissions\n \n \n \n realuser user4 - Assign real user privileges to user id "user4"."},{"id":"text-383","heading":"Text","content":"restricted-uid user1 user2 user3 - Restricts FTP to the specified directories\n \n \n \n guest-root /home/user1/public_html user1\n guest-root /home/user2/public_html user2\n   guest-root /home/user3/public_html user3"},{"id":"text-384","heading":"Text","content":"Remarque:"},{"id":"text-385","heading":"Text","content":"user1, user2 et user3 refer to login accounts. Use the appropriate login name."},{"id":"text-386","heading":"Text","content":"The above configuration disables anonymous FTP which allows anyone to\nperform an FTP login with the id anonyme and an email address as a\npassword. To enable anonymous FTP, change the classe directive to:"},{"id":"text-387","heading":"Text","content":"class all real,guest,anonymous *"},{"id":"text-388","heading":"Text","content":"GUI FTP configuration tools:"},{"id":"text-389","heading":"Text","content":"/usr/bin/kwuftpd\n \n/sbin/linuxconf\n (Note: Linuxconf is no longer included with Red Hat 7.3 and later)"},{"id":"text-390","heading":"Text","content":"Red Hat Linux assigns users a user id and group id which is the same.\n    This means that it does not matter if you use a realuser ou\n realgroup directive as they will act the same."},{"id":"text-391","heading":"Text","content":"Red Hat Linux 7.1 and later uses the xinet daemon to manage ftp connections.\n    Thus xinetd must be running and configured to support ftp. le\n    configuration file is /etc/xinetd.d/wu-ftpd.\n    The command chkconfig wu-ftpd on will make the ftp server available.\n    See xinet configuration for more info."},{"id":"text-392","heading":"Text","content":"Allow override of deny-uid et / ou deny-gid:"},{"id":"text-393","heading":"Text","content":"allow-uid user-to-allow\n \n \n \n allow-gid group-to-allow"},{"id":"text-394","heading":"Text","content":"Optional configuration:"},{"id":"text-395","heading":"Text","content":"Create a group ftpchroot\n \nAdd users to this group\n \nUse directive: guestgroup ftpchroot"},{"id":"text-396","heading":"Text","content":"[Potential Pitfall]: Flaky ftp behavior,\ntimeouts, etc?? FTP works best with name resolution of the computer it is\ncommunicating with.\nThis requires proper /etc/resolv.conf and name server (bind)\nconfiguration, /etc/hosts or NIS/NFS configuration."},{"id":"text-397","heading":"Text","content":"Fichier /home/user1/public_html/etc/pathmsg:"},{"id":"text-398","heading":"Text","content":"A NOTE TO USERS UPLOADING FILES:\n   File names may consist of letters (a-z, A-Z), numbers (0-9),\n   an under score ("_"), dash ("-") or period (".") only.\n   The file name may not begin with a period or dash.\n   You have tried to upload a file with an inappropriate name."},{"id":"text-399","heading":"Text","content":"The whole point of the chroot directory is to make the\nuser's home directory appear to be the root of the\nfilesystem (/) so one could not wander around the filesystem.\nConfiguration of /etc/ftpaccess will limit the user to their respective\ndirectories while still offering access to /bin/ls and other system commands\nused in FTP operation."},{"id":"text-400","heading":"Text","content":"As root:"},{"id":"text-401","heading":"Text","content":"cd /home/user1\n mkdir public_html\n   chown $1.$1 public_html\n   touch .rhosts - Security protection\n chmod ugo-xrw .rhosts"},{"id":"text-402","heading":"Text","content":"Man Pages:\nServeur:"},{"id":"text-403","heading":"Text","content":"ftpd – Internet File Transfer Protocol server"},{"id":"text-404","heading":"Text","content":"File Formats:"},{"id":"text-405","heading":"Text","content":"/etc/ftpaccess – Configuration file for ftpd"},{"id":"text-406","heading":"Text","content":"/etc/ftpservers – ftpd virtual hosting configuration file. (optionnel)"},{"id":"text-407","heading":"Text","content":"/etc/ftphosts – allow or deny access to certain accounts from various hosts. (optionnel)"},{"id":"text-408","heading":"Text","content":"/etc/ftpconversions – ftpd conversions database (for tar and compression)"},{"id":"text-409","heading":"Text","content":"/var/log/xferlog – FTP server logfile"},{"id":"text-410","heading":"Text","content":"ftp – File Transfer Client program"},{"id":"text-411","heading":"Text","content":"Configuration files: (RH 8.0+)"},{"id":"text-412","heading":"Text","content":"PAM configuration file: /etc/pam.d/ftp"},{"id":"text-413","heading":"Text","content":"#%PAM-1.0\nauth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed\nauth required pam_stack.so service=system-auth\nauth required pam_shells.so\naccount required pam_stack.so service=system-auth\nsession required pam_stack.so service=system-auth"},{"id":"text-414","heading":"Text","content":"Xinetd configuration file: /etc/xinetd.d/wu-ftpd"},{"id":"text-415","heading":"Text","content":"service ftp"},{"id":"text-416","heading":"Text","content":"        disable = no\n        socket_type = stream\n        wait = no\n        user = root\n        server = /usr/sbin/in.ftpd\n        server_args = -l -a\n        log_on_success += DURATION USERID\n        log_on_failure += USERID\n        nice = 10"},{"id":"text-417","heading":"Text","content":"Note: wu-FTPd is controlled by xinetd and not a stand alone service like vsFTPd."},{"id":"text-418","heading":"Text","content":"Logrotate configuration file: /etc/logrotate.d/ftpd\n/var/log/xferlog nocompress"},{"id":"text-419","heading":"Text","content":"Plus d'information:\nMan pages on related FTP commands and files:"},{"id":"text-420","heading":"Text","content":"chroot – Run with a special root directory\n \nftpcount – Show number of concurrent users.\n \nftpshut – close down the ftp servers at a given time\n \nftprestart – Restart previously shutdown ftp servers\n \nftpwho – show current process information for each ftp user\n \nprivatepw – Change WU-FTPD Group Access File Information (admin command)"},{"id":"text-421","heading":"Text","content":"Other FTP daemons:\nFTP Pitfalls:"},{"id":"text-422","heading":"Text","content":"If you get the following error:"},{"id":"text-423","heading":"Text","content":"ftp> ls227 Entering Passive Mode (208,188,34,109,208,89)ftp: connect: No route to host\nThis means you have firewall issues most probably on the FTP server itself.\nStart by removing the firewall "iptables" rules: iptables -F\nAdd rules until you discover what is causing the problem."},{"id":"text-424","heading":"Text","content":"Passive mode:\nPassive mode can also help one past the rules:\nftp> passivePassive mode on.\nThis toggles passive mode on and off.\nWhen on, FTP will be limited to ports specified in the vsftpd configuration file: vsftpd.conf with the parameters pasv_min_port et pasv_max_port\nFirewall connection tracking module:\n# cat /etc/sysconfig/iptables-config | grep ip_nat_ftpIPTABLES_MODULES="ip_conntrack_ftp"\nNAT firewall modules:\nYou can also try adding ip_nat_ftp to the list of auto-loaded modules:\n(This will also load the dependency: ip_conntrack_ftp.)\n# cat /etc/sysconfig/iptables-config | grep ip_nat_ftpIPTABLES_MODULES="ip_nat_ftp"\nThen restart the firewall: /etc/init.d/iptables condrestart\nFTP will change ports during use. le ip_conntrack_ftp module will\nconsider each connection "RELATED". If iptables allows RELATED and ESTABLISHED connections then FTP will work.\ni.e. rule: /etc/sysconfig/iptables"},{"id":"text-425","heading":"Text","content":"-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\nFTP fails because it can not change to the users home directory:\nErreur:"},{"id":"text-426","heading":"Text","content":"[user1@nodex ~]$ ftp node.domain.com"},{"id":"text-427","heading":"Text","content":"Connected to XXX.XXX.XXX.XXX.\n530 Please login with USER and PASS.\n530 Please login with USER and PASS.\nKERBEROS_V4 rejected as an authentication type\nName (XXX.XXX.XXX.XXX:user1):\n331 Please specify the password.\nMot de passe:\n500 OOPS: cannot change directory:/home/user1\nLogin failed.\nftp> bye"},{"id":"text-428","heading":"Text","content":"This is often a result of SELinux preventing the vsftpd process from accessing the user's home directory.\nAs root, grant access with the following command:\nsetsebool -P ftp_home_dir 1\nFollowed by: service vsftpd restart"},{"id":"text-429","heading":"Text","content":"Test your vsftpd SELinux settings: getsebool -a | grep ftp"},{"id":"text-430","heading":"Text","content":"allow_ftpd_anon_write --> off\nallow_ftpd_full_access --> off\nallow_ftpd_use_cifs --> off\nallow_ftpd_use_nfs --> off\nallow_tftp_anon_write --> off\nftp_home_dir --> on\nftpd_disable_trans --> off\nftpd_is_daemon --> on\nhttpd_enable_ftp_server --> off\ntftpd_disable_trans --> off"},{"id":"text-431","heading":"Text","content":"FTPd SELinux man page"},{"id":"text-432","heading":"Text","content":"FTP Linux clients:"},{"id":"text-433","heading":"Text","content":"gftp: GUI GTK+\nMulti-threaded client. File transfer directory browsing and compare.\nMultiple protocols: FTP, FTPS (control connection only), HTTP, HTTPS,\nSSH and FSP protocols. Proxy support. Comes with Red Hat / Fedora Core.\n \nKFTPgrabber: GUI KDE based client.simultaneous FTP sessions in separate tabs. Ability to limit upload and download speed.\n \nkbear:\nGUI KDE based client. Connect to multiple servers, transfer files,\ndirectory browsing, file content browsing. Comes with S.U.S.e. Linux.\n \nftp: (/usr/kerberos/bin/ftp) kerberos enabled console ftp client. (RPM package FC3: krb5-workstation)"},{"id":"text-434","heading":"Text","content":"Basic user security:"},{"id":"text-435","heading":"Text","content":"When hosting web sites, there is no need to grant a shell account which only\nallows the server to have more potential security holes. Current systems can\nspecify the user to have only FTP access with no shell by granting them the\n"shell" /sbin/nologin provided with the system or the "ftponly"\nshell described below. The shell can be specified in the file /etc/passwd of when creating a user with the command adduser -s /sbin/nologin user-id"},{"id":"text-436","heading":"Text","content":"[Potential Pitfall]: Red Hat 7.3 server with wu-ftp server 2.6.2-5\ndoes not support this configuration to prevent shell access.\nIt requires users to have a real user shell.\nc'est à dire. / bin / bash It works great in older and current Red Hat versions.\nIf it works for you, use it, as it is more secure to deny the user shell access. You can always deny telnet access.\nYou should NOT be using this problem ridden version of ftpd. Use the latest\nwu-ftpd-2.6.2-11 which supports users with shell /opt/bin/ftponly"},{"id":"text-437","heading":"Text","content":"[Potential Pitfall]: Ubuntu – Setting the shell to the pre-configured shell /bin/false will NOT allow vsftp access.\nOne must create the shell "ftponly" as defined below to allow vsftp access with no shell."},{"id":"text-438","heading":"Text","content":"Disable remote telnet login access allowing FTP access only:"},{"id":"text-439","heading":"Text","content":"Change the shell for the user in /etc/passwd de / bin / bash être /opt/bin/ftponly."},{"id":"text-440","heading":"Text","content":"...\nuser1:x:502:503::/home/user1:/opt/bin/ftponly\n...\n \n Create file: /opt/bin/ftponly.\n Protection set to -rwxr-xr-x 1 root root \n with the command: chmod ugo+x /opt/bin/ftponly\n Contents of file:"},{"id":"text-441","heading":"Text","content":"#!/bin/sh\n#\n# ftponly shell\n#\ntrap "/bin/echo Sorry; exit 0" 1 2 3 4 5 6 7 10 15\n#\nAdmin=root@your-domain.com\n#System=`/bin/hostname`@`/bin/domainname`\n#\n/bin/echo\n/bin/echo "********************************************************************"\n/bin/echo " You are NOT allowed interactive access."\n/bin/echo\n/bin/echo " User accounts are restricted to ftp and web access."\n/bin/echo\n/bin/echo " Direct questions concerning this policy to $Admin."\n/bin/echo "********************************************************************"\n/bin/echo\n#\n# C'ya\n#\nexit 0"},{"id":"text-442","heading":"Text","content":"The last step is to add this to the list of valid shells on the system.\n Add the line /opt/bin/ftponly à /etc/shells.\n \n Sample file contents: /etc/shells"},{"id":"text-443","heading":"Text","content":"/ bin / bash\n/bin/bash1\n/bin/tcsh\n/bin/csh\n/opt/bin/ftponly\n \n See man page on /etc/shells."},{"id":"text-444","heading":"Text","content":"An alternative would be to assign the shell /bin/false ou /sbin/nologin qui est devenu\navailable in later releases of Red Hat, Debian and Ubuntu. In this case the shell /bin/false ou /sbin/nologin would have to be added to /etc/shells to allow them to be used as a valid shell for FTP while disabling ssh or telnet access."},{"id":"text-445","heading":"Text","content":"Set file quotas to limit user account."},{"id":"text-446","heading":"Text","content":"For more on Linux security see the: YoLinux.com Internet web site Linux server security tutorial\n \nDomain Name Server (DNS) configuration using Bind version 8 or 9:"},{"id":"text-447","heading":"Text","content":"Two of the most popular ways to configure the program Bind\n(Berkeley Internet Domain software) to perform DNS\nservices is in the role of (1) ISP or (2) Web Host."},{"id":"text-448","heading":"Text","content":"In an ISP configuration for clients (web surfers) connected to the internet, the DNS server must resolve IP addresses for any\nURL the user wishes to visit. (See DNS caching server)\n \nIn a purely web hosting configuration, Bind will only resolve for the\nIP addresses of the domains which are being hosted. This is the configuration\nwhich will be discussed and is often called an "Authoritative-only Nameserver"."},{"id":"text-449","heading":"Text","content":"When resolving IP addresses for a domain, Internic is\nexpecting a "Primary"\nand a "Secondary" DNS name server. (Sometimes called Master and Slave)\nEach DNS name server requires the file /etc/named.conf and the files it\npoints to.\nThis is typically two separate computer systems hosted on two different\nIP addresses. It is not necessary that the Linux servers be dedicated to\nDNS as they may run a web server, mail server, etc."},{"id":"text-450","heading":"Text","content":"Note on Bind versions: Red Hat versions 6.x used Bind version 8.\nRelease 7.1 of Red Hat began using Bind version 9 and the GUI configuration\noutil bindconf was introduced for those of you that like a pretty\npoint and click interface for configuration.\n \nInstallation Packages:"},{"id":"text-451","heading":"Text","content":"Red Hat / Fedora Core / CentOS: bind, bind-chroot, bind-libs, bind-utils, system-config-bind"},{"id":"text-452","heading":"Text","content":"bind-chroot: Security jail for operation of bind.\nbind-utils: Utility commands like nslookup, host, dig\nsystem-config-bind: GUI config tool system-config-bind and related configuration files (/etc/security/console.apps/bindconf).\ncaching-nameserver: We will not be covering this as it is not required for web hosting. This is used by internet providers so their clients can cache the DNS entries of the sites they are visiting."},{"id":"text-453","heading":"Text","content":"Ubuntu (dapper/hardy/natty) / Debian: bind9"},{"id":"text-454","heading":"Text","content":"Configuration files:"},{"id":"text-455","heading":"Text","content":"Red Hat / Fedora / CentOS:"},{"id":"text-456","heading":"Text","content":"Fichier\nLa description\nDirectory\nChrooted Directory"},{"id":"text-457","heading":"Text","content":"named.conf\nPrimary/Secondary DNS server configuration.(See default file /usr/share/doc/bind-9.X.X/sample/etc/named.conf)\n/etc/\n/var/named/chroot/etc/"},{"id":"text-458","heading":"Text","content":"named.root.hints\nConfiguration for recursive service. Required for all zones.(See default file /usr/share/doc/bind-9.X.X/sample/etc/named.root.hints)\n/etc/\n/var/named/chroot/etc/"},{"id":"text-459","heading":"Text","content":"nommé\nRed Hat system variables.\n/etc/sysconfig/\npas de changement"},{"id":"text-460","heading":"Text","content":"rndc.key\nPrimary/Secondary DNS server configuration.\n/etc/\n/var/named/chroot/etc/"},{"id":"text-461","heading":"Text","content":"Zone files\nConfiguration files for each domain. Create this file to resolve host name internet queries i.e. define IP address of web (www) and mail servers in the domain.\n/var/named/\n/var/named/chroot/var/named/"},{"id":"text-462","heading":"Text","content":"Debian / Ubuntu:"},{"id":"text-463","heading":"Text","content":"Fichier\nLa description\nDirectory\nChrooted Directory"},{"id":"text-464","heading":"Text","content":"named.confnamed.conf.optionsnamed.conf.local\nPrimary/Secondary DNS server configuration.\n/etc/bind/\n/var/bind/chroot/etc/bind/"},{"id":"text-465","heading":"Text","content":"rndc.key\nPrimary/Secondary DNS server configuration.\n/etc/\n/var/bind/chroot/etc/"},{"id":"text-466","heading":"Text","content":"Zone files\nConfiguration files for each domain.\n/var/bind/data/\n/var/bind/chroot/var/bind/data/"},{"id":"text-467","heading":"Text","content":"Primary server (master):\n File: named.conf\nRed Hat / Fedora Core / CentOS: /etc/named.conf (chroot dir: /var/named/chroot/etc/named.conf) et /etc/sysconfig/named for system variables.\n Ubuntu / Debian: /etc/bind/named.conf Place local definitions in /etc/bind/named.conf.options et /etc/bind/named.conf.local\n Simple example: (no views)"},{"id":"text-468","heading":"Text","content":"options - Ubuntu stores options in /etc/bind/named.conf.options\n \n \n \n version "Bind"; - Don't disclose real version to hackers\n \n \n \n directory "/var/named"; - Specified so relative path names can be used. Full path names still allowed.\n \n \n \n allow-transfer XXX.XXX.XXX.XXX; ; - IP address of secondary DNS\n \n \n \n recursion no;\n        auth-nxdomain no; - conform to RFC1035. (default)\n fetch-glue no; - Bind 8 only! Not used by version 9"},{"id":"text-469","heading":"Text","content":";"},{"id":"text-470","heading":"Text","content":"zone "localhost" \n        type master;\n        file "/etc/bind/db.local";\n;\nzone "0.0.127.in-addr.arpa" \n        type master;\n        file "/etc/bind/db.127";\n;"},{"id":"text-471","heading":"Text","content":"zone "your-domain.com" - Ubuntu separates the zone definitions into /etc/bind/named.conf.local \n \n \n \n type master; - Specify master, slave, forward or hint\n \n \n \n file "data/named.your-domain.com"; \n        notify yes; - slave servers are notified when the zone is updated.\n \n \n \n allow-update none; ; - deny updates from other hosts (default: none)\n \n \n \n allow-query any; ; - allow clients to query this server (default: any)"},{"id":"text-472","heading":"Text","content":";\nzone "your-domain-2.com"\n        type master;\n        file "data/named.your-domain-2.com";\n        notify yes;\n;"},{"id":"text-473","heading":"Text","content":"Remarque:"},{"id":"text-474","heading":"Text","content":"The omission of zone ".". Required if providing a recursive service."},{"id":"text-475","heading":"Text","content":"Ubuntu includes the separated file of zone directives using the directive:\n include "/etc/bind/named.conf.local";"},{"id":"text-476","heading":"Text","content":"BIND Views:\nThe BIND naming service can support "views" which allow various sub-networks (i.e. private internal or public external networks) to have a different domain name resolution result."},{"id":"text-477","heading":"Text","content":"If no views are specified then use the configuration shown above."},{"id":"text-478","heading":"Text","content":"The match-up between the "view" and the view client which receives the DNS information is specified by the match-clients statement."},{"id":"text-479","heading":"Text","content":"If even one view is specified, then ALL zones MUST be associated with a "view"."},{"id":"text-480","heading":"Text","content":"Bind 9 allows for views which allow different zones to be served to different types of clients, localhost, private networks and public networks. This maps to the three view names "localhost_resolver", "interne" and "externe":"},{"id":"text-481","heading":"Text","content":"localhost_resolver: Supports name resolution for the system (localhost) using BIND. Support for use of bind also has to be configured in /etc/nsswitch.conf\n \ninternal: User specified Local Area Network (LAN). If not used to support a local private LAN, remove (or comment out) this view.\n \nexternal: The general public internet defined as client "any"."},{"id":"text-482","heading":"Text","content":"If you are only setting up a caching name server, then only specify the view "localhost_resolver" (delete all other views)."},{"id":"text-483","heading":"Text","content":"In order to support a DNS for internet domains using views, one will have to configure an "external" view"},{"id":"text-484","heading":"Text","content":"Typical Red Hat Enterprise 5 example: (Bind 9.3.4 with three "views")"},{"id":"text-485","heading":"Text","content":"options"},{"id":"text-486","heading":"Text","content":"        directory "/var/named"; // the default\n        dump-file "data/cache_dump.db";\n        statistics-file "data/named_stats.txt";\n        memstatistics-file "data/named_mem_stats.txt";"},{"id":"text-487","heading":"Text","content":";\nenregistrement"},{"id":"text-488","heading":"Text","content":"    // By default, SELinux policy does not allow named to modify the /var/named\n    // directory, so put the default debug log file in data/ :\n \n        channel default_debug \n                file "data/named.run";\n                severity dynamic;\n        ;\n;\nview "localhost_resolver""},{"id":"text-489","heading":"Text","content":"    // This view sets up named to be a localhost resolver ( caching only nameserver ).\n    // If all you want is a caching-only nameserver, then you need only define this view:\n    match-clients localhost; ;\n    ...\n;\nview "internal""},{"id":"text-490","heading":"Text","content":"    // This view will contain zones you want to serve only to "internal" clients\n    // that connect via your directly attached LAN interfaces - "localnets" .\n    // For local private LAN. Not covered in this tutorial.\n    // Delete this view if web hosting with no local LAN.\n    match-clients localnets; ;\n    ...\n;\nkey ddns_key"},{"id":"text-491","heading":"Text","content":"        algorithm hmac-md5;\n        secret "use /usr/sbin/dns-keygen to generate TSIG keys";\n;\nview "external""},{"id":"text-492","heading":"Text","content":"    // This view will contain zones you want to serve only to "external" \n    // public internet clients. This is covered below.\n    match-clients any; ;\n    ...\n    ..\n;\n \n Default configuration files: Red Hat may supply the default configuration in: /usr/share/doc/bind-9.X.X/sample/etc/named.conf"},{"id":"text-493","heading":"Text","content":"cp /usr/share/doc/bind-9.X.X/sample/etc/named.conf /var/named/chroot/etc\ncp /usr/share/doc/bind-9.X.X/sample/etc/named.root.hints /var/named/chroot/etc\nchcon -u system_u -r object_r -t named_conf_t /var/named/chroot/etc/named.conf /var/named/chroot/etc/named.root.hints"},{"id":"text-494","heading":"Text","content":"view "localhost_resolver": If supporting a caching DNS server (not required to support a web domain) you will also need the files:"},{"id":"text-495","heading":"Text","content":"cp /usr/share/doc/bind-9.X.X/sample/etc/named.rfc1912.zones /var/named/chroot/etc\ncp /usr/share/doc/bind-9.X.X/sample/var/named/localdomain.zones /var/named/chroot/var/named\n also from /usr/share/doc/bind-9.X.X/sample/var/named/: localhost.zones, named.local, named.zero, named.broadcast, named.ip6.local, named.root"},{"id":"text-496","heading":"Text","content":"view "external": (master) – details –"},{"id":"text-497","heading":"Text","content":"view "external""},{"id":"text-498","heading":"Text","content":"/* This view will contain zones you want to serve only to "external" clients\n * that have addresses that are not on your directly attached LAN interface subnets:\n * /\n        match-clients any; ;\n        match-destinations any; ;\n        allow-transfer XXX.XXX.XXX.XXX; ; - IP address of secondary DNS"},{"id":"text-499","heading":"Text","content":"recursion no;\n        // you'd probably want to deny recursion to external clients, so you don't\n        // end up providing free DNS service to all takers"},{"id":"text-500","heading":"Text","content":"        // all views must contain the root hints zone:\n        include "/etc/named.root.hints";"},{"id":"text-501","heading":"Text","content":"        // These are your "authoritative" external zones, and would probably\n        // contain entries for just your web and mail servers:"},{"id":"text-502","heading":"Text","content":"        zone "your-domain.com" \n                type master;\n                file "/var/named/data/external/named.your-domain.com";\n                notify yes;\n                allow-update none; ;\n        ;\n \n // You can also add the zones as a separate file like they do in Ubuntu by adding the following statement\n \n \n \n include "/etc/named.conf.local"; \n;"},{"id":"text-503","heading":"Text","content":"DNS key:"},{"id":"text-504","heading":"Text","content":"Use the following command /usr/sbin/dns-keygen to create a key.\nAdd this key to the "secret" statement as follows:"},{"id":"text-505","heading":"Text","content":"key ddns_key"},{"id":"text-506","heading":"Text","content":"        algorithm hmac-md5;\n        secret "XlYKYLF5Y7YOYFFFY6YiYYXyFFFFBYYYYFfYYYJiYFYFYYLVrnrWrrrqrrrq";\n;"},{"id":"text-507","heading":"Text","content":"Man Pages:"},{"id":"text-508","heading":"Text","content":"Forward Zone File: /var/named/named.your-domain.com"},{"id":"text-509","heading":"Text","content":"Red Hat 9 / CentOS 3: /var/named/named.your-domain.com\n Red Hat EL4/5, Fedora 3+, CentOS 4/5: [Chrooted] /var/named/chroot/var/named/data/named.your-domain.com\n Red Hat EL4/5, Fedora 3+, CentOS 4/5: /var/named/data/named.your-domain.com\n Ubuntu / Debian: /etc/bind/data/named.your-domain.com"},{"id":"text-510","heading":"Text","content":"$TTL 604800 - Bind 9 (and some of the later versions of Bind 8) requires $TTL statement.\n                     Measured in seconds. This value is 7 days.\nyour-domain.com. IN SOA ns1.your-domain.com. hostmaster.your-domain.com. (\n   2000021600 ; en série - Many people use year+month+day+integer as a system.\n \n \n \n 86400 ; rafraîchir - How often secondary servers (in seconds) should check in for changes in serial number. (86400 sec = 24 hrs)\n \n \n \n 7200 ; réessayez - How long secondary server should wait for a retry if contact failed.\n \n \n \n 1209600 ; expirer - Secondary server to purge info after this length of time.\n \n \n \n 86400 ) ; default_ttl - How long data is held in cache by remote servers.\n \n \n \n IN A XXX.XXX.XXX.XXX - Note that this is the default IP address of the domain. \n                                     I put the web server IP address here so that domain.com points to the same servers as www.domain.com"},{"id":"text-511","heading":"Text","content":";\n; Name servers for the domain\n;\n       IN NS ns1.your-domain.com.\n       IN NS ns2.your-domain.com.\n;\n; Mail server for domain\n;\n       IN MX 5 mail - Identify "mail" as the node handling mail for the domain. Faire NE PAS specify an IP address!"},{"id":"text-512","heading":"Text","content":";\n; Nodes in domain\n;\nnode1 IN A XXX.XXX.XXX.XXX - Note that this is the IP address of node1"},{"id":"text-513","heading":"Text","content":"ns1 IN A XXX.XXX.XXX.XXX - Optional: For hosting your own primary name server. Note that this is the IP address of ns1"},{"id":"text-514","heading":"Text","content":"ns2 IN A XXX.XXX.XXX.XXX - Optional: For hosting your own secondary name server. Note that this is the IP address of ns2"},{"id":"text-515","heading":"Text","content":"mail IN A XXX.XXX.XXX.XXX - Identify the IP address for node mail."},{"id":"text-516","heading":"Text","content":";\n; Aliases to existing nodes in domain\n;\nwww IN CNAME node1 - Define the webserver "www" to be node1."},{"id":"text-517","heading":"Text","content":"ftp IN CNAME node1 - Define the ftp server to be node1.\n \nDNS record types and format:"},{"id":"text-518","heading":"Text","content":"DNS record\nDescription and Format"},{"id":"text-519","heading":"Text","content":"SOA\nStart of Authority: Primary domain server and contact info\n Note that there is a period following the primary domain server and contact email.\n Note that the email address is in the form where the first period represents the "@" symbol of the email address."},{"id":"text-520","heading":"Text","content":"your-domain.com in SOA ns1.your-domain.com. webmaster.your-domain.com."},{"id":"text-521","heading":"Text","content":"ou"},{"id":"text-522","heading":"Text","content":"@ in SOA ns1.your-domain.com. webmaster.your-domain.com."},{"id":"text-523","heading":"Text","content":"[Potential Pitfall]: Incorrect specification of the primary name server may result in the following message in /var/log/messages:"},{"id":"text-524","heading":"Text","content":"view localhost_resolver: received notify for zone 'your-domain.com': not authoritative"},{"id":"text-525","heading":"Text","content":"SOA attribute\nLa description"},{"id":"text-526","heading":"Text","content":"en série\nNever use a value greater than 2147483647 for a 32 bit processor.Increment to a higher value to indicate an update to the slave server."},{"id":"text-527","heading":"Text","content":"rafraîchir\nTime increment (seconds) between update checks of the serial number with the primary server"},{"id":"text-528","heading":"Text","content":"réessayez\nTime elapsed before a slave will contact the primary server if a connection failed"},{"id":"text-529","heading":"Text","content":"expirer\nTime till primary server information is considered invalid and should be refreshed if there is a new DNS query"},{"id":"text-530","heading":"Text","content":"le minimum\nTime for DNS servers should hold domain information in their cache before purging"},{"id":"text-531","heading":"Text","content":"DANS\nIndicate Internet."},{"id":"text-532","heading":"Text","content":"NS\nSpecify the Authoritative Name servers for the domain."},{"id":"text-533","heading":"Text","content":"UNE\nSpecify the IP address associated with the host name.Format: nom d'hôte IN A XXX.XXX.XXX.XXXNote that in my example, no hostname is specified for the first record. This will define the default for the domain."},{"id":"text-534","heading":"Text","content":"CNAME\nSpecify an alias for the host name."},{"id":"text-535","heading":"Text","content":"MX\nMail exchange record. Specify a priority number for the primary and back-up mail servers. The lowest number indicates the default mail server for the domain"},{"id":"text-536","heading":"Text","content":"PTR\nUsed to specify the reverse DNS lookup"},{"id":"text-537","heading":"Text","content":"MX records for 3rd party off-site mail servers:"},{"id":"text-538","heading":"Text","content":"your-domain.com. IN MX 10 mail1.offsitemail.com.\nyour-domain.com. IN MX 20 mail2.offsitemail.com.\n \nAppend to the above example file.\n Initial configuration:\n Note that Red Hat may supply the default zone configuration in: /usr/share/doc/bind-9.X.X/sample/var/named/"},{"id":"text-539","heading":"Text","content":"cp /usr/share/doc/bind-9.X.X/sample/var/named/localhost.zone /var/named/chroot/var/named/data/\ncp /usr/share/doc/bind-9.X.X/sample/var/named/localdomain.zone /var/named/chroot/var/named/data/\ncp /usr/share/doc/bind-9.X.X/sample/var/named/named.broadcast /var/named/chroot/var/named/data/\ncp /usr/share/doc/bind-9.X.X/sample/var/named/named.ip6.local /var/named/chroot/var/named/data/\ncp /usr/share/doc/bind-9.X.X/sample/var/named/named.zero /var/named/chroot/var/named/data/\ncp /usr/share/doc/bind-9.X.X/sample/var/named/named.local /var/named/chroot/var/named/data/\ncp /usr/share/doc/bind-9.X.X/sample/var/named/named.root /var/named/chroot/var/named/data/\ncd /var/named/chroot/var/named/data/\nchcon -u system_u -r object_r -t named_cache_t localhost.zone localdomain.zone named.broadcast named.ip6.local named.zero named.root named.local"},{"id":"text-540","heading":"Text","content":"A file suffix of "zone" is also common i.e. your-domain.com.zone\nSecondary server (slave):\n File: named.conf\nRed Hat / Fedora Core / CentOS: /etc/named.conf\n Ubuntu / Debian: /etc/bind/named.conf\n Simple example with no views:"},{"id":"text-541","heading":"Text","content":"options - Ubuntu stores options in /etc/bind/named.conf.options\n \n \n \n version "Bind"; - Don't disclose real version to hackers\n \n \n \n directory "/var/named";\n allow-transfer none; ; - Slave is not transfering updates to anyone else\n \n \n \n recursion no;\n        auth-nxdomain no; - conform to RFC1035. (default)\n fetch-glue no; - Bind 8 only! Not used by version 9"},{"id":"text-542","heading":"Text","content":";\nzone "localhost" \n        type master;\n        file "/etc/bind/db.local"; - Ubutu: /etc/bind/db.local, Red Hat: /var/named/named.local"},{"id":"text-543","heading":"Text","content":";\nzone "0.0.127.in-addr.arpa" \n        type master;\n        file "/etc/bind/db.127";\n;"},{"id":"text-544","heading":"Text","content":"zone "your-domain.com"\n        type slave; \n        file "named.your-domain.com"; - Specify slaves/named.your-domain.com for RHEL chrooted bind\n masters XXX.XXX.XXX.XXX; ; - IP address of primary DNS"},{"id":"text-545","heading":"Text","content":";\nzone "your-domain-2.com"\n        type slave; \n        file "named.your-domain-2.com";\n        masters XXX.XXX.XXX.XXX; ;\n;\n \n view "external": (slave)"},{"id":"text-546","heading":"Text","content":"view "external""},{"id":"text-547","heading":"Text","content":"        match-clients any; ;\n        match-destinations any; ;\n        allow-transfer aucun; ; - Slave does not transfer to anyone, slave receives\n \n \n \n recursion no;\n        include "/etc/named.root.hints";"},{"id":"text-548","heading":"Text","content":"        zone "your-domain.com" \n                type slave;\n                file "/var/named/slaves/external/named.your-domain.com";\n                notify no; - Slave does not notify, slave is notified by master\n \n \n \n masters XXX.XXX.XXX.XXX; ; - State IP of master server\n \n \n \n ;\n;"},{"id":"text-549","heading":"Text","content":"Note: RHEL, CentOS, Fedora use chrooted directory structure\npermissions which require the use of the slaves sub-directory /var/named/slaves\n Slave Zone Files: These are transfered from master to slave and cached by slave. There is no need to generate a zone file on the slave.\n Information additionnelle:"},{"id":"text-550","heading":"Text","content":"[Potential Pitfall]: Ubuntu dapper/hardy/natty – Path names used can not violate Apparmor security rules as defined in /etc/apparmor.d/usr.sbin.named. Note that the slave files are typically named "/var/lib/bind/named.your-domain.com" as permitted by the security configuration."},{"id":"text-551","heading":"Text","content":"[Potential Pitfall]: Ubuntu dapper/hardy/natty – Create log file and set ownership and permission for file not created by installation:"},{"id":"text-552","heading":"Text","content":"touch /var/log/bindlog\n \nchown root.bind /var/log/bindlog\n \nchmod 664 /var/log/bindlog"},{"id":"text-553","heading":"Text","content":"[Potential Pitfall]: Error in /var/log/messages:"},{"id":"text-554","heading":"Text","content":"transfer of 'yolinux.com/IN' from XXX.XXX.XXX.XXX#53: failed while receiving responses: permission denied\n \nNamed needs write permission on the directory containing the file. Ce\ncondition often occurs for a new "slave" or "secondary" name server\nwhere the zone files\ndo not yet exist. The default (RHEL, CentOS, Fedora, …):"},{"id":"text-555","heading":"Text","content":"drwxr-x--- 4 root named 4096 Aug 25 2004 named\n \ndrwxrwx--- 2 named named 4096 Sep 17 20:37 slaves"},{"id":"text-556","heading":"Text","content":"Fix: In named.conf specify that the slaves to go to slaves directory /var/named/chroot/var/named/slaves with the directive:\nfile "slaves/named.your-domain.com";\nBind Defaults:\n \nAfter the configuration files have been edited, restart the name daemon."},{"id":"text-557","heading":"Text","content":"/etc/init.d/named restart\n \n(Note: Ubuntu / Debian restart: /etc/init.d/bind9 restart)"},{"id":"text-558","heading":"Text","content":"Bind zone transfers work best if the clocks of the two systems are synchronised.\nSee the YoLinux SysAdmin Tutorial: Time and ntpd"},{"id":"text-559","heading":"Text","content":"File: /var/named/named.your-domain.com\nThis is created for you by Bind on the slave (secondary) server when it replicates from Primary server."},{"id":"text-560","heading":"Text","content":"DNS GUI configuration:"},{"id":"text-561","heading":"Text","content":"Red Hat EL 4/5, Fedora 2-10: /usr/bin/system-config-bind\n \nRed Hat 8/9, Fedora Core 1: /usr/bin/redhat-config-bind"},{"id":"text-562","heading":"Text","content":"Test DNS:\nMust install packages:"},{"id":"text-563","heading":"Text","content":"Red Hat / Fedora Core / SuSE: bind-utils\n \nUbuntu (dapper/hardy/natty) / Debian: bind9-host"},{"id":"text-564","heading":"Text","content":"Test the name server with the\n          hôte\ncommand in interactive mode: \n hôte node.domain-to-test.com your-nameserver-to-test.domain.com\n \nNote: The name server may also be specified by IP address.\n \nou\n \nTest the name server with the\n          nslookup\ncommand in interactive mode:\n \n nslookup> server your-nameserver-to-test.domain.com\n \n \n \n > node.domain-to-test.com\n > exit\n \nTest the MX record if appropriate:\n \n nslookup -querytype=mx domain-to-test.com\n \n OU"},{"id":"text-565","heading":"Text","content":"host -t mx domain-to-test.com\n \nTest using the dig command:\n \n dig @name-server domain-to-query"},{"id":"text-566","heading":"Text","content":"OU"},{"id":"text-567","heading":"Text","content":"dig @IP-address-of-name-server domain-to-query\n \nTest your DNS with the following DNS diagnostics web site: DnsStuff.com"},{"id":"text-568","heading":"Text","content":"Extra logging to monitor Bind:\nAdd the following to your /etc/named.conf file."},{"id":"text-569","heading":"Text","content":"logging \n        channel bindlog \n // Keep five old versions of the log-file (rotates logs)\n \n \n \n file "/var/log/bindlog" versions 5 size 1m;\n                           print-time yes;\n                           print-category yes;\n                           print-severity yes;\n                        ;\n/* If you want to enable debugging, eg. using the 'rndc trace' command,\n * named will try to write the 'named.run' file in the $directory (/var/named).\n * By default, SELinux policy does not allow named to modify the /var/named directory,\n * so put the default debug log file in data/ :\n * /\n        channel default_debug \n                file "data/named.run";\n                severity dynamic;\n        ;\n        category xfer-out bindlog; ; - Zone transfers\n \n \n \n category xfer-in bindlog; ; - Zone transfers\n \n \n \n category security bindlog; ; - Approved/unapproved requests"},{"id":"text-570","heading":"Text","content":"// The following logging statements, panic, insist and response-checks are \n// valid for Bind 8 only. Do not user for version 9.\n category panic bindlog; ; - System shutdowns\n \n \n \n category insist bindlog; ; - Internal consistency check failures\n \n \n \n category response-checks bindlog; ; - Messages"},{"id":"text-571","heading":"Text","content":";"},{"id":"text-572","heading":"Text","content":"Chroot Bind for extra security:\nNote: Most modern Linux distributions default to a "chrooted" installation.\nThis technique runs the Bind name service with a view of the filesystem\nwhich changes the definition of the root directory "/" to a directory\nin which Bind will operate. c'est à dire. /var/named/chroot."},{"id":"text-573","heading":"Text","content":"The following example uses the Red Hat RPM bind-8.2.3-0.6.x.i386.rpm. Applies to Bind version 9 as well.\n \nThe latest RedHat bind updates run the named as user "named" to avoid a lot of\nearlier hacker exploits. To chroot the process is to create an even more\nsecure environment by limiting the view of the system that the process\ncan access. The process is limited to the chrooted directory assigned.\n \nThe chroot of the named process to a directory under a given user will\nprevent the possibility of an exploit which at one time would result in\nroot access.\nThe original default RedHat configuration (6.2) ran the named process as root,\nthus if an exploit was found, the named process will allow the hacker to use\nthe privileges of the root user. (no longer true)\n \nNamed Command Sytax:\n \n named -u utilisateur -g groupe -t directory-to-chroot-to\n \nExemple:\n named -u named -g named -t /opt/named\nWhen chrooted, the process does not have access to system\nlibraries thus a\nlocal lib directory is required with the appropriate library files –\ntheoretically. This does not seem to be the case here and as noted\nabove in chrooted FTP.\nIt's a mystery to me but it works????\nAnother method to handle libraries is to re-compile the named binary\nwith everything statically linked. Ajouter -static to the compile options.\nThe chrooted process should also require a local /etc/named.conf etc… but doesn't seem to???\n \nScript to create a chrooted bind environment:"},{"id":"text-574","heading":"Text","content":"#!/bin/sh\ncd /opt\nmkdir named\ncd named\nmkdir etc\nmkdir bin\nmkdir var\ncd var\nmkdir named\nmkdir run\ncd ..\nchown -R named.named bin etc var"},{"id":"text-575","heading":"Text","content":"You can probably stop here. If your system acts like a chrooted system should,\nthen continue with the following:"},{"id":"text-576","heading":"Text","content":"cp -p /etc/named.conf etc\ncp -p /etc/localtime etc\ncp -p /bin/false bin\necho "named:x:25:25:Named:/var/named:/bin/false" > etc/passwd\necho "named:x:25:" > etc/group\ntouch var/run/named.pid"},{"id":"text-577","heading":"Text","content":"si [ -f /etc/namedb ]\npuis\n   cp -p /etc/namedb etc/namedb\nFi"},{"id":"text-578","heading":"Text","content":"mkdir dev\ncd dev"},{"id":"text-579","heading":"Text","content":"# Create a character unbuffered file.\nmknod -m ugo+rw null c 1 3"},{"id":"text-580","heading":"Text","content":"cd ..\nchown -R named.named bin etc var"},{"id":"text-581","heading":"Text","content":"Add changes to the init script: /etc/rc.d/init.d/named"},{"id":"text-582","heading":"Text","content":"#!/bin/bash\n#\n# named This shell script takes care of starting and stopping\n# named (BIND DNS server).\n#\n# chkconfig: - 55 45\n# description: named (BIND) is a Domain Name Server (DNS) \n# that is used to resolve host names to IP addresses.\n# probe: true"},{"id":"text-583","heading":"Text","content":"# Source function library.\n. /etc/rc.d/init.d/functions"},{"id":"text-584","heading":"Text","content":"# Source networking configuration.\n. /etc/sysconfig/network"},{"id":"text-585","heading":"Text","content":"# Check that networking is up.\n[ $NETWORKING = \"no\" ] && exit 0"},{"id":"text-586","heading":"Text","content":"[ -f /etc/sysconfig/named ] && . /etc/sysconfig/named"},{"id":"text-587","heading":"Text","content":"[ -f /usr/sbin/named ] || exit 0"},{"id":"text-588","heading":"Text","content":"[ -f /etc/named.conf ] || exit 0"},{"id":"text-589","heading":"Text","content":"RETVAL=0"},{"id":"text-590","heading":"Text","content":"start() \n        # Start daemons.\n        echo -n "Starting named: "\n        daemon named -u named -g named -t /opt/named # Change made here\n\tRETVAL=$?\n \t[ $RETVAL -eq 0 ] && touch /var/lock/subsys/named\nécho\n\treturn $RETVAL"},{"id":"text-591","heading":"Text","content":"stop() \n        # Stop daemons.\n        echo -n "Shutting down named: "\n        killproc named\n\tRETVAL=$?\n\t[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/named\n        écho\n\treturn $RETVAL"},{"id":"text-592","heading":"Text","content":"rhstatus() \n\t/usr/sbin/ndc status\n\treturn $?"},{"id":"text-593","heading":"Text","content":"restart() \nArrêtez\ndébut"},{"id":"text-594","heading":"Text","content":"reload() \n\t/usr/sbin/ndc reload\n\treturn $?"},{"id":"text-595","heading":"Text","content":"probe() echo start\n\treturn $?"},{"id":"text-596","heading":"Text","content":"# See how we were called.\ncase "$1" in\n\tstart)\ndébut\n\t\t;;\n\tstop)\nArrêtez\n\t\t;;\n\tstatus)\n\t\trhstatus\n\t\t;;\n\trestart)\nredémarrer\n\t\t;;\n\tcondrestart)\n\t\t[ -f /var/lock/subsys/named ] && restart || :\n\t\t;;\n\treload)\nrecharger\n\t\t;;\n\tprobe)\nsonde\n\t\t;;\n\t*)\n        \techo "Usage: named condrestart"\nsortie 1\nesac"},{"id":"text-597","heading":"Text","content":"exit $?"},{"id":"text-598","heading":"Text","content":"Note: The current version of bind from the RedHat errata updates and security\nfixes (http://www.redhat.com/support/errata/)\nruns the named process as user "named" in the home (not chrooted) directory\n /var/named with no shell available. (named -u named)\nThis should be secure enough.\nProceed with a chrooted installation if your are paranoid.\n \nVoir:"},{"id":"text-599","heading":"Text","content":"Chrooted DNS configuration:\n \nModern releases of Linux (i.e. Fedore Core 3, Red Hat Enterprise Linux 4)\ncome pre-configured to use "chrooted" bind. This security feature forces\neven an exploited version of bind to only operate within the "chrooted" jail\n /var/named/chroot\nwhich contains the familiar directories:"},{"id":"text-600","heading":"Text","content":"/var/named/chroot/etc: Configuration files\n \n/var/named/chroot/dev: devices used by bind:"},{"id":"text-601","heading":"Text","content":"/dev/null\n \n /dev/random\n \n /dev/zero"},{"id":"text-602","heading":"Text","content":"(Real devices created with the mknod command.)\n \n/var/named/chroot/var: Zone files and configuration information."},{"id":"text-603","heading":"Text","content":"These directories are generated and configured by the Red Hat/Fedora RPM package "bind-chroot"."},{"id":"text-604","heading":"Text","content":"If building from source you will have to generate this configuration manually:"},{"id":"text-605","heading":"Text","content":"mkdir -p /var/named/chroot\n \nmkdir /var/named/chroot/dev\n \nmknod /var/named/chroot/dev/null c 1 3\n \nmknod /var/named/chroot/dev/zero c 1 5\n \nmknod /var/named/chroot/dev/random c 1 8\n \nchmod 666 -R /var/named/chroot/dev\n \nmkdir -p /var/named/chroot/etc\n \nln -s /var/named/chroot/etc/named.conf /etc/named.conf"},{"id":"text-606","heading":"Text","content":"mkdir -p /var/named/chroot/var/named\n \nln -s /var/named/chroot/var/named/named.XXXX /var/named/named.XXXX \n \nln -s /var/named/chroot/var/named/named.YYYY /var/named/named.YYYY \n \n…\n \nmkdir -p /var/named/chroot/var/named/slaves\n \nmkdir -p /var/named/chroot/var/named/data\n \nmkdir -p /var/named/chroot/var/run\n \nmkdir -p /var/named/chroot/var/tmp"},{"id":"text-607","heading":"Text","content":"chown -R named:named /var/named/chroot\n \nchown -R root:named /var/named/chroot/var/named"},{"id":"text-608","heading":"Text","content":"Load Balancing of servers using Bind: DNS Round-Robin\nThis will populate DNS caching name servers around the world with different IP addresses for your web server www.your-domain.com\nFichier: /var/named/data/named.your-domain.com"},{"id":"text-609","heading":"Text","content":"$TTL 604800\nyour-domain.com. IN SOA ns1.your-domain.com. hostmaster.your-domain.com."},{"id":"text-610","heading":"Text","content":"...\n..."},{"id":"text-611","heading":"Text","content":"www IN A 192.168.1.1"},{"id":"text-612","heading":"Text","content":"www IN A 192.168.1.2"},{"id":"text-613","heading":"Text","content":"www IN A 192.168.1.3"},{"id":"text-614","heading":"Text","content":"www IN A 192.168.1.4"},{"id":"text-615","heading":"Text","content":"www IN A 192.168.1.5"},{"id":"text-616","heading":"Text","content":"www IN A 192.168.1.6"},{"id":"text-617","heading":"Text","content":"Remarque:"},{"id":"text-618","heading":"Text","content":"This example will resolve the www.your-domain.com URL to each of the IP addresses listed, one at a time for each request.\n              First request will resolve to 192.168.1.1, the second request will resolve to 192.168.1.2, etc.\n \nA perfectly even load balance is not possible becaused network service providers run DNS caching servers which hold the resolved IP address for a different number of users.\n \nUsing multiple CNAME's to rotate records is no longer permissible in bind9.\n \nListing a record multiple times with the same IP address will not change the load sharing. Bind will ignore duplicate records.\n \nReducing the time to live (TTL) will cause load sharing to take place more frequently thus responding to a change in servers more quickly."},{"id":"text-619","heading":"Text","content":"Also see lbnamed: lbnamed load balancing named"},{"id":"text-620","heading":"Text","content":"Bind/DNS Links:\nDomain name registration:"},{"id":"text-621","heading":"Text","content":"Domain Name Registrars:\n \nAfterNic.com – Domain name exchange and auction.\n \nBuyDomains.com – Buy a domain name that a squatter is holding."},{"id":"text-622","heading":"Text","content":"Note that the Name registrations policies for the registrars are stated at ICANN.org."},{"id":"text-623","heading":"Text","content":"You must renew with the same registrar within five days BEFORE the expiration date. There is no rule for afterwards.\n \nMost free a domain name 30 days after it expires."},{"id":"text-624","heading":"Text","content":"Web Server Load Balancing:"},{"id":"text-625","heading":"Text","content":"Load balancing becomes important if your traffic volume becomes too great for either your server or network connection or both.\n      Multiple options are available for load balancing."},{"id":"text-626","heading":"Text","content":"DNS round-robin: Discussed above, this uses DNS to point users to random server in a list of appropriate servers. This spreads the load among the servers in the list.\nUse a Linux Virtual Server to Create a Load Balance Cluster. See next section below.\nRun a reverse proxy. See nginx ("engine X").\n          From a single external internet network connection, route http, smtp, imap or pop3 traffic to various servers on an internal network. Results are pushed back to the nginx proxy for routing to the internet (no caching).\nRun the Apache httpd web server module "mod_proxy" to offload processing of dynamic content to another web server. This acts as a reverse proxy, routing external traffic to various servers on an internal network."},{"id":"text-627","heading":"Text","content":"Using a Linux Virtual Server to Create a Load Balance Cluster:"},{"id":"text-628","heading":"Text","content":"You can use a single Linux server to forward requests to a cluster of servers\nusing iptables for IP masquerading and IPVsadm to scale your load.\nThe load balancing server receiving and routing the requests is called the "Linux Virtual Server" (LVS).\nThe LVS receives the requests which are passed to the real servers which\nprocess and reply to the request.\nThis reply is forwarded to the client by the LVS.\n \nThis feature is available with the Linux 2.4/2.6 kernel.\n(If compiling kernel: Networking Options + IP: Virtual Server Configuration)\n \nConfiguration: This example will load balance http traffic to three web servers\nand ftp traffic to a fourth server."},{"id":"text-629","heading":"Text","content":"Enable Forwarding:\n    (Also see YoLinux Networking Tutorial: Enable Forwarding)\necho "1" > /proc/sys/net/ipv4/ip_forward"},{"id":"text-630","heading":"Text","content":"Enable IP Masquerading:\niptables -t nat -P POSTROUTING DROPiptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n For more on IP Masquerading, iptables and subnet addresses, see the\n    YoLinux network gateway tutorial.\n \nEnable virtual server:"},{"id":"text-631","heading":"Text","content":"Create virtual service and choose scheduler for http (80) and ftp (21):\nipvsadm -A -t 66.218.88.103:80 -s wlcipvsadm -A -t 66.218.88.103:21 -s wrr\n Command directives:"},{"id":"text-632","heading":"Text","content":"A: Add a virtual service defined by IP address, port number, and protocol.\n \n-t: Use TCP service host:port\n \n-s: scheduler:"},{"id":"text-633","heading":"Text","content":"rr: Robin Robin: distributes jobs equally amongst the avail-\n                            able real servers.\n \nwrr: Weighted Round Robin.\n \nlc: Least-Connection: assigns more jobs to real servers with\n                            fewer active jobs.\n \nwlc: (Default) Weighted Least-Connection: assigns more jobs to servers\n                            with fewer jobs and relative to the real server's weight.\n \nlblc, lblcr, dh, sh, sed, nq. See man page."},{"id":"text-634","heading":"Text","content":"Configure load balancing cluser.\nipvsadm -a -t 66.218.88.103:80 -r 176.168.1.1:80 -mipvsadm -a -t 66.218.88.103:80 -r 176.168.1.2:80 -m -w 2ipvsadm -a -t 66.218.88.103:80 -r 176.168.1.3:80 -mipvsadm -a -t 66.218.88.103:21 -r 176.168.1.4:21 -m\n Command directives:"},{"id":"text-635","heading":"Text","content":"-r: Real server.\n \n-m: Use masquerading also known as network address translation (NAT)\n \n-w: Weight is an integer specifying the capacity of a server relative to the others in the pool. The valid values of weight are 0 through to 65535. The default is 1."},{"id":"text-636","heading":"Text","content":"Links:\n \nManaging Web Server Daemons:"},{"id":"text-637","heading":"Text","content":"To view if these services are\nrunning, type ps -aux and look for the httpd, inetd and named\nservices (daemons). These are background processes necessary to perform\nthe server tasks."},{"id":"text-638","heading":"Text","content":"root 681 0.0 0.5 2304 744 ? S Sep09 0:01 named\n   nobody 28123 0.0 1.1 3036 1420 ? S Oct06 0:00 httpd\n   nobody 28186 0.0 0.7 3044 896 ? S Oct06 0:00 httpd\n   root 385 0.0 0.1 1136 232 ? S Sep09 0:00 inetd"},{"id":"text-639","heading":"Text","content":"A new installation will most likely NOT start the named background process\nwhich may be started manually after configuration.\n See the YoLinux Init Process Tutorial\npour plus d'informations.\n The inetd (or xinetd) background process is the Internet daemon which\nstarts FTP when an ftp request is made."},{"id":"text-640","heading":"Text","content":"Sys Admin Script:"},{"id":"text-641","heading":"Text","content":"Script to prepare an account: (Red Hat/Fedora)"},{"id":"text-642","heading":"Text","content":"#!/bin/sh\n# Author Greg Ippolito\n# Requires: /opt/etc/AccountDefaults/pathmsg favicon.ico mwh-mini_tr.gif etc.\n# /opt/bin/ftponly\n# You must be root to run this script.\n#\nsi [ $# -eq 0 ]\npuis\n   echo "Enter user id as a command argument"\nelse if [ -r /home/$1 ]\npuis\n   echo "User's home directory already exists"\nautre\n   echo "1) Create user."\n   adduser -m $1"},{"id":"text-643","heading":"Text","content":"   echo "2) Set user Password."\n   passwd $1"},{"id":"text-644","heading":"Text","content":"   echo "3) Add read access to user directory so apache can read it."\n   cd /home\n   chmod ugo+rx $1\n   cd $1"},{"id":"text-645","heading":"Text","content":"   echo "4) Create web directories."\n   mkdir public_html\n   chown $1.$1 public_html\n   chcon -R -h -u system_u -r object_r -t httpd_sys_content_t public_html\n   cd public_html\n   mkdir images\n   chown $1.$1 images\n   chcon -R -h -u system_u -r object_r -t httpd_sys_content_t images"},{"id":"text-646","heading":"Text","content":"   # Block potential for unauthenticated logins\n   cd ../\n   touch .rhosts\n   chmod ugo-xrw .rhosts"},{"id":"text-647","heading":"Text","content":"   echo "5) Create default web page"\n   sed "/HEADING/s!HEADING!$1!" /opt/etc/AccountDefaults/default-index.html > index.html\n   cp -p /opt/etc/AccountDefaults/favicon.ico .\n   cp -p /opt/etc/AccountDefaults/default-logo.gif ./images\n   cp -p /opt/etc/AccountDefaults/robots.txt .\n   chown $1.$1 index.html favicon.ico robots.txt\n   chcon -R -h -t httpd_sys_content_t index.html favicon.ico robots.txt\n   chcon -R -h -t httpd_sys_content_t images/default-logo.gif"},{"id":"text-648","heading":"Text","content":"   echo "6) Edit /etc/passwd file - change user shell to /opt/bin/ftponly"\n   cp -p /etc/passwd /etc/passwd-`date +%m%d%y`\n   sed "/^$1/s!/bin/bash!/opt/bin/ftponly!" /etc/passwd-`date +%m%d%y` > /etc/passwd"},{"id":"text-649","heading":"Text","content":"#wu-ftp# Requires: /etc/ftpaccess guestuser restrict-uid\n#wu-ftp# echo "7) Add user to /etc/ftpaccess file"\n#wu-ftp# cp -p /etc/ftpaccess /etc/ftpaccess-`date +%m%d%y`\n#wu-ftp# sed "/^guestuser/s!guestuser !guestuser $1 !" /etc/ftpaccess-`date +%m%d%y` > /etc/ftpaccess\n#wu-ftp# sed "/^restricted-uid/s!restricted-uid !restricted-uid $1 !" /etc/ftpaccess-`date +%m%d%y` > /etc/ftpaccess\n#wu-ftp# echo "guest-root /home/$1/public_html $1" >> /etc/ftpaccess"},{"id":"text-650","heading":"Text","content":"   echo "7) Add user to vsftpd chroot list\n   cat `echo $1` >> /etc/vsftpd/vsftpd.chroot_list"},{"id":"text-651","heading":"Text","content":"   echo "8) Setting Disk Quotas to default 50Mb limit:"\n# Use user johndoe as a prototype.\n   edquota -p johndoe $1"},{"id":"text-652","heading":"Text","content":"   echo "9) Admin Follow-up:"\n   echo " Modify quota.user if different than default"\n   echo " Make changes to Bind names services on dns1 and dns2 if necessary"\n   echo " Change /etc/http/conf/httpd.conf or \n   echo " add config to /etc/http/conf.d/ if using a new domain name"\n   echo " Add e-mail aliases to mail server if necessary"\nFi\nFi"},{"id":"text-653","heading":"Text","content":"FYI: Sample robots.txt files:\n \nUseful links and resources:"},{"id":"text-654","heading":"Text","content":"Livres:"},{"id":"text-655","heading":"Text","content":""Ubuntu Unleashed 2017 edition:"\n Covering 16.10 and 17.04, 17.10 (12th Edition)\n by Matthew Helmke, Andrew Hudson and Paul Hudson\n Sams Publishing, ISBN# 0134511182"},{"id":"text-656","heading":"Text","content":""Ubuntu Unleashed 2013 edition:"\n Covering 12.10 and 13.04 (8th Edition)\n by Matthew Helmke, Andrew Hudson and Paul Hudson\n Sams Publishing, ISBN# 0672336243\n (Dec 15, 2012)"},{"id":"text-657","heading":"Text","content":""Ubuntu Unleashed 2012 edition:"\n Covering 11.10 and 12.04 (7th Edition)\n by Matthew Helmke, Andrew Hudson and Paul Hudson\n Sams Publishing, ISBN# 0672335786\n (Jan 16, 2012)"},{"id":"text-658","heading":"Text","content":""Red Hat Enterprise Linux 7: Desktops and Administration"\n by Richard Petersen\n Surfing Turtle Press, ISBN# 1936280620\n (Jan 13, 2017)"},{"id":"text-659","heading":"Text","content":""Fedora 18 Desktop Handbook"\n by Richard Petersen\n Surfing Turtle Press, ISBN# 1936280639\n (Mar 6, 2013)"},{"id":"text-660","heading":"Text","content":""Fedora 18 Networking and Servers"\n by Richard Petersen\n Surfing Turtle Press, ISBN# 1936280698\n (March 29, 2013)"},{"id":"text-661","heading":"Text","content":""Fedora 14 Desktop Handbook"\n by Richard Petersen\n Surfing Turtle Press, ISBN# 1936280167\n (Nov 30, 2010)"},{"id":"text-662","heading":"Text","content":""Fedora 14 Administration and Security"\n by Richard Petersen\n Surfing Turtle Press, ISBN# 1936280221\n (Jan 6, 2011)"},{"id":"text-663","heading":"Text","content":""Fedora 14 Networking and Servers"\n by Richard Petersen\n Surfing Turtle Press, ISBN# 1936280191\n (Dec 26, 2010)"},{"id":"text-664","heading":"Text","content":""Practical Guide to Ubuntu Linux (Versions 8.10 and 8.04)"\n by Mark Sobell\n Prentice Hall PTR, ISBN# 0137003889\n 2 edition (January 9, 2009)"},{"id":"text-665","heading":"Text","content":""Fedora 10 and Red Hat Enterprise Linux Bible"\n by Christopher Negus\n Wiley, ISBN# 0470413395"},{"id":"text-666","heading":"Text","content":""Red Hat Fedora 6 and Enterprise Linux Bible"\n by Christopher Negus\n Sams, ISBN# 047008278X"},{"id":"text-667","heading":"Text","content":""Fedora 7 & Red Hat Enterprise Linux: The Complete Reference"\n by Richard Petersen\n Sams, ISBN# 0071486429"},{"id":"text-668","heading":"Text","content":""Red Hat Fedora Core 6 Unleashed"\n by Paul Hudson, Andrew Hudson\n Sams, ISBN# 0672329298"},{"id":"text-669","heading":"Text","content":""Red Hat Linux Fedora 3 Unleashed"\n by Bill Ball, Hoyt Duff\n Sams, ISBN# 0672327082"},{"id":"text-670","heading":"Text","content":""Red Hat Linux 9 Unleashed"\n by Bill Ball, Hoyt Duff\n Sams, ISBN# 0672325888\n May 8, 2003"},{"id":"text-671","heading":"Text","content":"I have the Red Hat 6 version and I have found it to be very helpful.\n    I have found it to be way more complete than the other Linux books.\n    It is the most complete general Linux book in publication. While other\n    books in the "Unleashed" series have dissapointed me, this book\n    is the best out there."},{"id":"text-672","heading":"Text","content":""Apache Server Bible 2"\n by Mohammed J. Kabir\n ISBN # 0764548212, Hungry Minds"},{"id":"text-673","heading":"Text","content":"This book is very complete covering all aspects in detail. Ce n'est pas\n    your basic reprint of the apache.org documents like so many others."},{"id":"text-674","heading":"Text","content":""Pro DNS and Bind"\n by Ronald Aitchison\n Apress, ISBN# 1590594940"},{"id":"text-675","heading":"Text","content":"Click to rate this post!\n \n [Total: 0 Average: 0]"}],"media":{"primary_image":""},"relations":[{"rel":"canonical","href":"https://tutos-gameserver.fr/2019/05/02/tutoriel-sur-la-configuration-du-serveur-web-linux-et-du-domaine-bien-choisir-son-serveur-d-impression/"},{"rel":"alternate","href":"https://tutos-gameserver.fr/2019/05/02/tutoriel-sur-la-configuration-du-serveur-web-linux-et-du-domaine-bien-choisir-son-serveur-d-impression/llm","type":"text/html"},{"rel":"alternate","href":"https://tutos-gameserver.fr/2019/05/02/tutoriel-sur-la-configuration-du-serveur-web-linux-et-du-domaine-bien-choisir-son-serveur-d-impression/llm.json","type":"application/json"},{"rel":"llm-manifest","href":"https://tutos-gameserver.fr/llm-endpoints-manifest.json","type":"application/json"}],"http_headers":{"X-LLM-Friendly":"1","X-LLM-Schema":"1.1.0","Content-Security-Policy":"default-src 'none'; img-src * data:; style-src 'unsafe-inline'"},"license":"CC BY-ND 4.0","attribution_required":true,"allow_cors":false}